[keycloak-user] [Proposal] Hard Code the Composite Role Relationship of Admin Role into Java code not Database Records?

Mingjun Liu mingjliu.9 at gmail.com
Tue Mar 27 10:43:57 EDT 2018


Hi Team,

I found that the admin role in master realm will have all roles in
xxxx-realm type client in master realm as composite. This design will have
a lots of rows to be inserted into database.

However, the admin role is targeted for super privilideged users to have
all privilidges on all resources in keycloak server, there is rarely
reasons to change this scenario.

One observation is that when there is 6K realms in database, the getRole
method of admin role  would take more than *1 SECOND*. It will result in
bad response for admin rest api.

Benifit:
We are allieviated from lots of database write/read, especially when realm
number grows to thousands and more.
We are more confident to support large number of realms.

Drawbacks: we need carefully implement logics on the special admin role,
multiple places needs work.

Please let me know your concerns. Thank you!

Regards,
Mingjun Liu


More information about the keycloak-user mailing list