[keycloak-user] Permissions performance problem

Pedro Igor Silva psilva at redhat.com
Mon May 27 10:52:29 EDT 2019


If you try to evaluate for a single resource/permissions, do you also see
the difference ?

On Mon, May 27, 2019 at 11:48 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Is there a difference in the number of permissions/resources granted on
> each run?
>
> Maybe, permissions are being run twice when using dashboard. Still not
> clear to me why. I would need to reproduce this behavior somehow.
>
> Is there any client mapper associated with dashboard that is not set to
> api-server ?
>
> On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi Pedro and Luke,
>> I tried with the "evaluate" tab in the UI.
>> Just by changing the client in the evaluate tab (first dropbox), I obtain
>> significant performance changes:
>> - with "api-server" client: 2.5 seconds.
>> - with "dashboard" client: 5 seconds.
>> With the API, the difference is even more significant (200ms vs 2s)
>>
>> Note that the resources belong to "api-server". So it might be some
>> communication delay between the clients as suggested by Luke (if I
>> understood correctly)?
>>
>>
>> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> The resource set is the same in both scenarios as they are related to
>>> api-server. The same goes for permissions and policies.
>>>
>>> I don't know what may be causing this difference, but maybe you can find
>>> a clue when running the evaluation tool to compare how evaluation is
>>> performed in both situations.
>>>
>>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I noticed that if I request permissions with one client, it is faster
>>>> than
>>>> with another one.
>>>> For instance:
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>> application/x-www-form-urlencoded"
>>>> -d
>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>> time curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $TOKEN" -d
>>>>
>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>> *real 0m0,196s*
>>>> user 0m0,000s
>>>> sys 0m0,006s
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>> application/x-www-form-urlencoded"
>>>> -d
>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>> time curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $TOKEN" -d
>>>>
>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>> *real 0m2,142s*
>>>> user 0m0,006s
>>>> sys 0m0,006s
>>>>
>>>> The only difference between the two commands is the client (highlighted
>>>> in
>>>> red). With the second client, it takes 2 seconds more consistently.
>>>> Any idea? I might be a cache problem...
>>>> Cheers
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>


More information about the keycloak-user mailing list