Hello,
Relating to KEYCLOAK-11019 "Offline sessions preloading still slow in some cases"[1], we'd like to start a new discussion in the keycloak-community about "Offline Session Lazy Loading"[2].
We can shorten the startup time by tuning some parameters or adding indexes, but there is a limit we can shorten.
In the PR, we'd like to consider resolving the root cause, that is, consider providing offline session loading methods other than the existing method preloading all offline sessions in the startup.
Keycloak source code seems to be rooted in the offline session preloading, so it's not easy to change this, but kind of lazy loading is requested by many users, so even in the long run, we'd like to start the discussion.
What do you think about this? I would be very happy if you give any kind of comment on that.
[1] https://issues.redhat.com/browse/KEYCLOAK-11019
[2] https://github.com/keycloak/keycloak-community/pull/190
Regards,
Yoshiyuki Tabata
Hitachi, Ltd.
Hi everybody,
we are VERY interested in this is really causing us a lot of headache currently. We are definitely willing to contribute here!
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing.
Sebastian Schuster
Project Delivery Berlin 22 (IOC/PDL22)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 |
Threema /
Threema Work: MF9VMEAE |
Sebastian...@bosch.io
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
keycloak-dev...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/keycloak-dev/TY2PR01MB2284EB222C5D49B89B4E31CEB9E00%40TY2PR01MB2284.jpnprd01.prod.outlook.com.
--
Would it be an starting point to use the “current” semantics of offline sessions for all sessions and rename that thing to durable sessions where offline sessions just is a durable session which is lazy loaded always?
On the negative side this will effect startup time for standard sessions as it would get all problems of offline sessions.
While writing I notice this is a no go, so may it should be considered to have some internal state to actively recache “active” sessions e.g.
last used time > something.
Or it could be sufficient to just pick the top (x1000) sessions which are no offline sessions on startup ordered by last update time.
This also implies that any kind of session can be lazy loaded.
On the plus side it could be easy to just persist all sessions in a new entity and also “slow” migrate old offline sessions (on lazy load/ or creation).
Also this would merge both approaches in a configurable way. The administrator could optimize for startup time or for pre warmed caches.
Btw if lazy loading is an option but an issue for some setups it could also be considered to run a background worker on the master node which consistently adds all sessions to the cache in a throttled operation mode. This way the startup can be quick + reasonable amount of sessions loaded on startup and all other sessions added on the fly. (the last part for sure needs a lot of tinkering to resolve the conflicts between users which show up and fill the cache lazy and the background loader)
Mit freundlichen Grüßen / Best regards
Markus Till
Project Delivery Berlin 22 (IOC/PDL22)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad |
GERMANY | www.bosch.io
Tel. +49 30 726112-354 | Mobil +49 172 5782078 | Telefax +49 30 726112-100 |
Threema /
Threema Work: FHKUKVDR
| Marku...@bosch.io
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAf8Aio0uwfKSBeAMDZX0BzMrE3VRBY9SKyjdoAANoYRZg%40mail.gmail.com.
--
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAf8Aio0uwfKSBeAMDZX0BzMrE3VRBY9SKyjdoAANoYRZg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAeCRoNUC2GsEy0qiWG%3Dbqixn7Lm1R3xdV1n1URD-9d7ZA%40mail.gmail.com.
Hi,
Thank you for your comments.
In the long run, Stian's idea is the best idea to eliminate the slow offline session loading problem, I think.
However, many users "now" pay attention to this problem, so in the keycloak-community, first of all, we'd like to consider Pedro's idea which is without a re-design of sessions.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4f2fc0af-2c74-480c-8deb-abe9d352c855n%40googlegroups.com.
Hello Pedro
Thanks for looking into this and your valuable feedback!
I'd rather avoid loading large amounts of data into the cache upfront, be it synchronous or asynchronous. I've seen many large Keycloak installations with several million offline sessions that needed large heaps (>16-32 GB and larger) to cope with the number of offline-sessions that were quite often barely used. Of course, the usage pattern depends on how the application uses tokens, and some scenarios might benefit from pre-loading a set of offline-sessions.If this were configurable along the lines of e.g.:- offline-session-pre-loading-enabled: true/false (current default: true)- offline-session-pre-loading-max: -1/0/ n>0 (current default: -1 )-1: everything0: nonen>0: load at most n offline-sessions into memory... (perhaps this limit could also be controlled with the infinispan user-offline-session, client-offline-session cache size).
One could also think of a hybrid model, where you only load the offline-session uuid's into memory without any other session data, to check if the session is present at all and then fetch the actual session later on. This would still require some pre-loading at startup but would solve the problem of the DoS attack that I mentioned earlier while requiring less memory than loading everything into the heap.
The proposed solution seems like the right candidate that would work reliably and provide a good "enough" performance. But this needs to be tested a bit to get a reliable performance baseline.
Regarding the feature "we query the cache for all sessions for a given user/client in the admin-console":
What is the use-case here?
-> To see how many sessions are active / exist?
Here we can do a simple (and quick) database count query to get the same information.
-> To list all active sessions?
Does someone needs to see all 10 million sessions, or does an admin wants to see whether a concrete user has a session?
This list can be paginated and fetched from the database on an as needed basis.
Regarding the duplicate cache entries, I'm currently unsure whether this would be a problem at all in practice, but I'm not that familiar with infinispan. Perhaps someone from Redhat could elaborate more here, e.g., by providing the necessary ISPN tricks ;-).
In my (local) tests, I didn't see a problem with this, but I have to admit that I only tried this with a few million offline sessions and multiple docker containers on the same host. However, things might look different in a real distributed environment with higher latencies (remote keycloaks, remote database etc.).
I know about the redesign of the storage layer for "Keycloak-X" - I support this effort, and I'm looking forward to it. However, IMHO the current Keycloak community would benefit most from a solution that also works with the traditional Keycloak codebase since many companies already use the Wildfly based Keycloak distribution.
I'd be happy to send a PR for this to help to solve the dreaded "missing offline-sessions" once and for all. :)