-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEYCLOAK-19230 Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted #8430
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bohmber Thanks for the PR! Few points:
- The PR introduces new method to the model API and hence I am adding @hmlnarik as a reviewer to doublecheck if this matches with the requirements for the new store and doublecheck if implementation in the new stores (Map store) is ok
- Added 2 comments regarding possible optimization of the SQL in the JPA layer to call only single SQL in "getGroupByName" instead of two separate queries (one just for return ID and another for lookup group by this ID).
- Will be good to doublecheck if we have DB index by parent and name. This can add even more performance points. Could you doublecheck if such index exists in the DB?
- I wonder that we can change
KeycloakModelUtils.findGroupByPath
to be more optimal and leverage the new API method for getGroupByName and parent. - I've added few more comments below regarding cache invalidations and some other minor things...
When you do some more optimizations, can you please share in the JIRA some results of the performance before this change and after this change? If possible, it will be ideal to share:
- Count of LDAP top level groups
- Do you use some custom "group path" for the Group LDAP mapper or just top level groups?
- How the login of the user performs before and after this change? How many groups your typical user has?
Thanks!
@hmlnarik WDYT about the points above and about this PR in general?
model/jpa/src/main/java/org/keycloak/models/jpa/entities/GroupEntity.java
Outdated
Show resolved
Hide resolved
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheSession.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
Outdated
Show resolved
Hide resolved
At least there is a |
b324db4
to
9e31aba
Compare
@bohmber Still interested in this PR? If yes, please comment here. There will be at least rebase needed and align with latest Keycloak codebase, which changed since this PR was sent. But possibly some more things will be needed to be updated in this PR. But before going further, I would like to know if you are still interested in this PR or not anymore. |
Thanks @mposolda |
093ef10
to
d4b97bb
Compare
@mposolda pr updated. I'm looking forward to your feedback |
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted
d4b97bb
to
bae6b77
Compare
I also want to vote for this fix and in my company, with very large AD, there are many users (especially those senior staffs) are assigned to 100+ LDAPS groups. We also suffer from this issue. |
Next steps to evaluate the impact / scenarios this PR is about to solve:
|
Only LDAP is affected. There should be an internal RH issue with more details. It's hard to reproduce you need Group modifications in ldap, a high group count and many calls to getTopLevelGroups. If the cache is invalidated it will hammer the database with Group calls. https://issues.redhat.com/browse/KEYCLOAK-19230 has some information and the internal support case should have some data from a jfr session. Token endpoint is affected |
Actually, it is not difficult to reproduce it… You just need to create 100 ldap groups. Create an ldap user. Assign the user into the groups created. Config user federation with the ldap group mapper. Login with the ldap user created, you will find it takes more than 10 seconds to login (time taken depends on cpu speed) for the first time (or cases that the user not loaded into cache). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.ui.account2.ApplicationsTest#navigationTestKeycloak CI - Account Console IT (firefox)
|
We are waiting for @mposolda whether the @keycloak/core team wants to have a look. |
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted fix default impl and MapGroupProvider
@mhajas Thanks for the Test. Found a misunderstanding of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the additions @bohmber, however, I am not following the latest changes, could you elaborate more on why you did it?
server-spi/src/main/java/org/keycloak/storage/group/GroupLookupProvider.java
Outdated
Show resolved
Hide resolved
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted default impl in GroupLookupProvider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the contribution @bohmber! I am approving and merging now
Awesome, thank you for everyone involved in preparing and review this! |
@mhajas @sguilhen @mposolda @ahus1 Thanks to everyone. From the title the pr looks small. But in a case the toplevel group cache becomes invalid every call for group mapping will hammer the database for all groups for each group in the ldap response. Depending on the request count and group count you will get really bad response times quicky. Now there is a direct mapping between name and group and you will not affected when a group has added/changed. |
…APGroupMappingsConverted (keycloak#8430) Closes keycloak#14820 --------- Co-authored-by: Michal Hajas <mhajas@redhat.com> (cherry picked from commit bb2f59d)
To those watching this issue: The related PR has been backported to 22.0.5 |
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted
Closes #14820
KEYCLOAK-19230