[keycloak-user] Permissions performance problem
luke at code-house.org
luke at code-house.org
Mon May 27 10:00:22 EDT 2019
Each grant type is processed in different branches of Token Endpoint thus they might (and very likely will) have different performance.
Its well known that enabling fine grained access control generates extra load as these permissions needs to be read somehow.
Kind regards,
Łukasz
--
Code-House
http://code-house.org <http://code-house.org/>
> On 27 May 2019, at 15:54, Pedro Igor Silva <psilva at redhat.com> wrote:
>
> Hi,
>
> The resource set is the same in both scenarios as they are related to
> api-server. The same goes for permissions and policies.
>
> I don't know what may be causing this difference, but maybe you can find a
> clue when running the evaluation tool to compare how evaluation is
> performed in both situations.
>
> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont at gmail.com>
> wrote:
>
>> Hi guys,
>> I noticed that if I request permissions with one client, it is faster than
>> with another one.
>> For instance:
>>
>> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
>> -d
>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $TOKEN" -d
>>
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m0,196s*
>> user 0m0,000s
>> sys 0m0,006s
>>
>> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
>> -d
>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $TOKEN" -d
>>
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m2,142s*
>> user 0m0,006s
>> sys 0m0,006s
>>
>> The only difference between the two commands is the client (highlighted in
>> red). With the second client, it takes 2 seconds more consistently.
>> Any idea? I might be a cache problem...
>> Cheers
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list