[keycloak-user] Permissions performance problem

Mon May 27 11:07:58 EDT 2019

There seem to be a difference when evaluating only one permission. But it's
difficult to see as times are very short.
- with "api-server" client: around 0,035s
- with "dashboard" client: around 0,050s
But the response times are quite variables.

On Mon, May 27, 2019 at 4:52 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> If you try to evaluate for a single resource/permissions, do you also see
> the difference ?
>
> On Mon, May 27, 2019 at 11:48 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Is there a difference in the number of permissions/resources granted on
>> each run?
>>
>> Maybe, permissions are being run twice when using dashboard. Still not
>> clear to me why. I would need to reproduce this behavior somehow.
>>
>> Is there any client mapper associated with dashboard that is not set to
>> api-server ?
>>
>> On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi Pedro and Luke,
>>> I tried with the "evaluate" tab in the UI.
>>> Just by changing the client in the evaluate tab (first dropbox), I
>>> obtain significant performance changes:
>>> - with "api-server" client: 2.5 seconds.
>>> - with "dashboard" client: 5 seconds.
>>> With the API, the difference is even more significant (200ms vs 2s)
>>>
>>> Note that the resources belong to "api-server". So it might be some
>>> communication delay between the clients as suggested by Luke (if I
>>> understood correctly)?
>>>
>>>
>>> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> The resource set is the same in both scenarios as they are related to
>>>> api-server. The same goes for permissions and policies.
>>>>
>>>> I don't know what may be causing this difference, but maybe you can
>>>> find a clue when running the evaluation tool to compare how evaluation is
>>>> performed in both situations.
>>>>
>>>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> I noticed that if I request permissions with one client, it is faster
>>>>> than
>>>>> with another one.
>>>>> For instance:
>>>>>
>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>> application/x-www-form-urlencoded"
>>>>> -d
>>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>>>> "
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>>> |
>>>>> jq .access_token -r`
>>>>> time curl -X POST
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>>> -H
>>>>> "Authorization: Bearer $TOKEN" -d
>>>>>
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>>> *real 0m0,196s*
>>>>> user 0m0,000s
>>>>> sys 0m0,006s
>>>>>
>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>> application/x-www-form-urlencoded"
>>>>> -d
>>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>>>> "
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>>> |
>>>>> jq .access_token -r`
>>>>> time curl -X POST
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>>> -H
>>>>> "Authorization: Bearer $TOKEN" -d
>>>>>
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>>> *real 0m2,142s*
>>>>> user 0m0,006s
>>>>> sys 0m0,006s
>>>>>
>>>>> The only difference between the two commands is the client
>>>>> (highlighted in
>>>>> red). With the second client, it takes 2 seconds more consistently.
>>>>> Any idea? I might be a cache problem...
>>>>> Cheers
>>>>> Corentin
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>