[keycloak-user] COMPOSITE_ROLE table duplicate rows issue
Haim Vana
haimv at perfectomobile.com
Tue Jan 3 03:48:27 EST 2017
Thanks for the quick response.
We are using your multi-tenancy support (realm for each customer) since we must have separate definitions, different admin user and other attributes for each customer – hence we can't really change that.
Can you please elaborate about the performance issues ? is it only within the keycloak UI or also when performing login and generating offline/access tokens via REST ?
In addition note that we are not using a single server, we have AWS cluster with 2 active machines (master-master) with shared postgresql DB,
Does the performance issues still applies in this architecture ? if so any idea how we can improve it ? (e.g. adding more machines, replace the DB to Mongo if possible, etc)
Also what is the recommended number of realms for that kind of architecture ? (currently we have about 207 realms and growing)
Thanks again,
Haim.
From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, January 03, 2017 7:49 AM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org; Moshe Ben-Shoham <mosheb at perfectomobile.com>; Boaz Hamo <boazh at perfectomobile.com>; Michael Dikman <michaeld at perfectomobile.com>
Subject: Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
You can create a bug report with the steps to reproduce. We can't really prioritize it though as we don't really test or recommend using that many realms on a single server. There are known performance impacts of having many realms (quite a few PRs around this atm that we'll look at merging in 3.x) and also some fundamental reasons why it's not quite right (master realm and the composite roles mainly).
On 2 January 2017 at 16:26, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
The steps to reproduce is to use the keycloak admin API to generate multiple realms in parallel.
Note that it not always reproduced.
Simple defensive solution might be to add constraint to the table, not sure regrading performance impact.
From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Monday, January 02, 2017 4:33 PM
To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>; Moshe Ben-Shoham <mosheb at perfectomobile.com<mailto:mosheb at perfectomobile.com>>; Boaz Hamo <boazh at perfectomobile.com<mailto:boazh at perfectomobile.com>>; Michael Dikman <michaeld at perfectomobile.com<mailto:michaeld at perfectomobile.com>>
Subject: Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
Strange. If you can provide steps to reproduce it we can look into it. Ideally a testcase within our existing testsuite.
On 27 December 2016 at 15:53, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,
We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel.
We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE.
Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows.
Deleting the duplicate rows solved the issue.
Any idea what might have caused the duplicated rows ? or how to prevent it ?
Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup)
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Ce20b3a4d6a4a4b9faeb808d4331c4101%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=2Y1BmkIbZSPBJ4rOlPcqMc%2FTFt3fAwp4ZMuNIGSMbYw%3D&reserved=0>
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
More information about the keycloak-user
mailing list