[keycloak-user] Scalability with a lot of clients
El-Himoud Nils (INST/ECS2)
nils.el-himoud at bosch-si.com
Thu Mar 14 10:53:25 EDT 2019
Hi everyone,
In our project we are creating lots of clients in Keycloak. In our loadtests with ~6000 clients we found very slow response times.
For example average response times during load tests:
23.9 sec / admin/realms/{realm}/users/{id}/role-mappings (GET)
28.2 sec /admin/realms/{realm}/clients (POST)
20.2 sec /admin/realms/{realm}/clients/{id} (DELETE)
By debugging Keycloak we found that the server is iterating over all clients in the realm. For this finding we opened ticket https://issues.jboss.org/browse/KEYCLOAK-9553. Initially after Keycloak startup this could take up to 5 minutes but was much faster for subsequent requests. We assume due to local caches. The variance of the response times is very high. They range from <1s to timeouts after 5 minutes.
What we´ve tried so far:
First we scaled up the Keycloak instances because we thought it might be a load problem. Turned out that it doesn´t need load to reproduce the slow responses, just enough clients.
Then we tried to warmup the caches by running the loadtests for a longer time but couldn´t see improvements.
We found that there are configuration options for the caches and tried to gain some insight on the runtime behavior via jboss cli by enabling the cache statistics
/subsystem=infinispan/cache-container=keycloak/local-cache=realms:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=statistics-enabled, value=true)
:reload
With no success. Statistics keep showing only zeros.
[standalone at localhost:9990 /] ls subsystem=infinispan/cache-container=keycloak/local-cache=realms
component elapsed-time=0 module=undefined stores=0
memory hit-ratio=0.0 number-of-entries=0 time-since-reset=0
store hits=0 passivations=0 eviction={"EVICTION" => undefined}
activations=0 indexing=NONE read-write-ratio=0.0 expiration={"EXPIRATION" => undefined}
average-read-time=0 indexing-properties=undefined remove-hits=0 locking={"LOCKING" => undefined}
average-write-time=0 invalidations=0 remove-misses=0 transaction={"TRANSACTION" => undefined}
batching=false jndi-name=undefined start=LAZY
cache-status=RUNNING misses=0 statistics-enabled=false
At last we tried to manipulate the cache settings for the realms cache
# default 10000
/subsystem=infinispan/cache-container=keycloak/local-cache=realms/memory=object:write-attribute(name=max-entries, value=80000)
# default 10000
/subsystem=infinispan/cache-container=keycloak/local-cache=realms/memory=object:write-attribute(name=size, value=80000)
This also had no noticeable effect on the response times.
Ah! The connection pool size for the db was also something that we tried to increase.
Setup
Keycloak is running in standalone HA mode with jgroups on Kubernetes (3 replicas). The database is AWS RDS.
Next we want to test the scalability of Keycloak with respect to the number of clients.
Do we miss something about the cache configuration. Is the realm cache the correct one to optimize the problematic endpoints? How can we get the cache statistics working?
resources:
request:
mem: 4Gi
cpu: 1
limit:
mem: 6Gi
cpu: 3
Java memory parameters are set
/usr/lib/jvm/java/bin/java -D[Standalone] -server -Xms3276m -Xmx4914m -javaagent:/opt/jboss/newrelic/newrelic.jar -Djboss.modules.system.pkgs
Mit freundlichen Grüßen / Best regards
Nils El-Himoud
INST-IOT/ESW-Imb
More information about the keycloak-user
mailing list