Hello Keycloak community,
one of our customers discovered that searching a user via the Admin Console is really slow. To be specific, the search takes anywhere from 8 to 13 seconds on a system with around one million users.
After investigating the issue, we discovered that the database query execution time scales with rising user numbers because it uses full text search with surrounding wildcard characters (i.e. ‘%’) which doesn’t work well together with indexes.
Here is the request that is triggered when searching for a user in the Admin Console:
/realms/example-realm/users?briefRepresentation=true&first=0&max=20&search='example-user'
And this is the mentioned query :
SELECT * FROM USER_ENTITY AS generatedAlias0
WHERE ( generatedAlias0.REALM_ID = 'example-realmid' )
AND ( generatedAlias0.SERVICE_ACCOUNT_CLIENT_LINK IS null )
AND ( ( LOWER(generatedAlias0.USERNAME) LIKE '%example-username%' )
OR ( LOWER(generatedAlias0.EMAIL) LIKE '%example-username%' )
OR ( LOWER(((coalesce(generatedAlias0.FIRST_NAME, '') + ' ')) + coalesce(generatedAlias0.LAST_NAME, '')) LIKE '%example-username%'))
ORDER BY generatedAlias0.USERNAME ASC
We would like to provide a way that makes the search fast and independent from the user count at the same time.
The two methods we found to improve the execution time where either removing the trailing wildcard characters from the query, i.e. “ USERNAME LIKE ‘example-username%’ ”,
or performing an exact search without any wildcards, i.e. “ USERNAME = ‘example-username’ “.
This could be achieved by giving the user different options for searching. Those options could be displayed as a dropdown in the UI. Here is a screenshot of how this could look like :
The options are probably self-explaining. For clarity, the “Starts with” option would execute a query without the trailing wildcards, the “Exact” option would execute a query without wildcards and the
“Includes” option is the current default behavior.
Another option would be implementing them as prefixes in the search string (the one you enter in the UI search field) like the already available “id:” rather than a drop down box.
So you would for example search for “startsWith:admin” or “exact:admin” instead of just admin.
However this would make it significantly less usable when searching multiple users in a row, because you would have to type out the prefix every time.
What are your thoughts on this topic ? Any feedback is greatly appreciated.
Mit freundlichen Grüßen / Best regards
Artur Baltabayev
Bosch IoT Permissions - Product Area User Management (IOC/PAU-PM)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad |
GERMANY | www.bosch.io
Tel. +49 7545 202-497 | Fax +49 7545 202-301 |
Artur.Ba...@bosch.io
Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; HRB 148411 B
Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing Directors: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/70906be9a3564ff5bbb9edb1fdf42559%40bosch.io.
Hello Hynek,
thank you a lot for the quick response ! We agree with your proposal,
and I’ll start preparing the PR if there are no objections.
Note: Sorry I didn’t answer to all on the first response.
Mit freundlichen Grüßen / Best regards
Artur Baltabayev
Bosch IoT Permissions - Product Area User Management (IOC/PAU-PM)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad |
GERMANY | www.bosch.io
Tel. +49 7545 202-497 | Fax +49 7545 202-301 |
Artur.Ba...@bosch.io
Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; HRB 148411 B
Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing Directors: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/ce252f26cb084b8e84764db9c0fcd14e%40bosch.io.
I am not following. Do you envision users entering queries using oData syntax when searching for users?Could you elaborate on what you mean by "planned with oData in mind"? Storage is not by itself exposing any REST interfaces.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAMvXD%3DG5W4-fFizk4rH6pkRDfVpSRWK1qhhjWekuMU10tNfx5w%40mail.gmail.com.
On Thu, Jul 15, 2021 at 11:24 AM Hynek Mlnarik <hmln...@redhat.com> wrote:I am not following. Do you envision users entering queries using oData syntax when searching for users?Could you elaborate on what you mean by "planned with oData in mind"? Storage is not by itself exposing any REST interfaces.Yeah, it is not. My point is that we could potentially provide some mechanism for easily mapping OData query syntax to the syntax of the underlying storage. Like some libraries do (e.g.: oData -> JPQL).Making it a lot easier to standardize our REST APIs and remove redundant code for dealing with parsing queries sent over REST. Perhaps related to the model criteria API you did?
Hello,
i just want to let you know that the PR “KEYCLOAK-18727 Improve user search query” is finished and ready to be reviewed. You can find it here : https://github.com/keycloak/keycloak/pull/8346
During development some additional things came up, which we commented to the PR
as remarks. Please have a look at them too.
As always, any feedback is greatly appreciated !