[keycloak-user] Authorization services performance

Ori Doolman Ori.Doolman at amdocs.com
Wed Aug 22 09:23:39 EDT 2018


Thanks Pedro for the quick response.
I am not sure the high DB CPU load is only because of authorization requests. We need to do further analyzing.
We are using the RedHat SSO version, hence it would be difficult to try latest Keycloak version now. Will we see any improvement when trying RHSSO version 7.2 (currently latest)?


Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

[cid:image001.png at 01D2C8DE.BFF33E10]

From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, August 22, 2018 15:11
To: Ori Doolman <Ori.Doolman at Amdocs.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authorization services performance

On Wed, Aug 22, 2018 at 8:38 AM, Ori Doolman <Ori.Doolman at amdocs.com<mailto:Ori.Doolman at amdocs.com>> wrote:
Hi,

We are using Policy Enforcer in Java client (JBOSS FUSE) to send the permission ticket to Keycloak PDP for evaluating a pre-configured Javascript policy rule.
We are using Keycloak version 2.5.5.

Is that evaluation in Keycloak PDP occur in-memory, or does it perform a DB access each time?

If cache is warm, it should not happen any database hits. We cache not only entities (resources, policies, etc) but also specific queries that are executed during evaluation.

In latest version, 4.3.0.Final, we delivered quite a few performance improvements to the evaluation engine like removal of redundant code and refactoring to optimize execution and decision cache on a per authorization request basis. We are still working on some other improvements as this is one of our main goals for future releases.

I would recommend you to try latest version. There are other improvements too that I think you may benefit. Things like being able to define response format (if just a decision, list of granted permissions or standard oauth2 response), limit the number of permissions that the server should process, pushed claims (with or without permission tickets), additional methods to the evaluation api, etc.



Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

[cid:image001.png at 01D2C8DE.BFF33E10]

“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3506 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180822/14fbd101/attachment-0001.png 


More information about the keycloak-user mailing list