cache
This commit is contained in:
Bill Burke
parent
fc396031e9
commit
6ace795d4e
7 changed files with 121 additions and 54 deletions
|
|
@ -39,9 +39,12 @@
|
|||
.. link:topics/clustering/example.adoc[Cluster Example]
|
||||
.. link:topics/clustering/troubleshooting.adoc[Trouble Shooting]
|
||||
. link:topics/cache.adoc[Server Cache Configuration]
|
||||
.. link:topics/cache/eviction.adoc[Eviction Policy and Max Entries]
|
||||
.. link:topics/cache/replication.adoc[Replication and Failover]
|
||||
.. link:topics/cache/disable.adoc[Disabling Caching]
|
||||
.. link:topics/cache/clear.adoc[Clearing Caches at Runtime]
|
||||
{% if book.community %}
|
||||
. link:topics/proxy.adoc[Keycloak Security Proxy]
|
||||
{% endif %}
|
||||
. link:topics/migration.adoc[Importing and Exporting the Database]
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -45,7 +45,8 @@
|
|||
"version": "???",
|
||||
"admindoc": {
|
||||
"name": "JBoss Data Grid Administration and Configuration Guide",
|
||||
"link": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/6.6/html/Administration_and_Configuration_Guide/index.html"
|
||||
"link": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/6.6/html/Administration_and_Configuration_Guide/index.html",
|
||||
"eviction": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/7.0/html/Administration_and_Configuration_Guide/sect-Eviction_Strategies.html"
|
||||
}
|
||||
},
|
||||
"jpa": {
|
||||
|
|
|
|||
|
|
@ -1,58 +1,18 @@
|
|||
== Server Cache
|
||||
== Server Cache Configuration
|
||||
|
||||
By default, Keycloak caches realm metadata and users.
|
||||
There are two separate caches, one for realm metadata (realm, application, client, roles, etc...) and one for users.
|
||||
These caches greatly improves the performance of the server.
|
||||
{{book.project.name}} has two types of caches. One type of cache sits in front of the database to decrease load on the DB
|
||||
and to increase overall response times by keeping data in memory. Realm, client, role, and user metadata is kept in this cache.
|
||||
The caching for this data is stored in something called an invalidation cache. Invalidation caches do not use replication.
|
||||
Instead, they only keep copies locally and if the entry is updated an invalidation message is sent to the rest of the cluster
|
||||
and the entry is evicted. This greatly reduces network traffic, makes things efficient, and avoids transmitting sensitive
|
||||
metadata over the ire.
|
||||
|
||||
=== Eviction and Expiration
|
||||
The second type of cache handles managing user sessions, offline tokens, and keeping track of login failures so that the
|
||||
server can detect password phishing and other attacks. The data held in these caches is temporary, in memory only,
|
||||
but is possibly replicated across the cluster.
|
||||
|
||||
By default the user cache contains a maximum of 10000 entries.
|
||||
This is not 10000 users, but 10000 entries in the cache.
|
||||
You can change the maximum number of entries by editing the server configuration `standalone.xml` or `standalone-ha.xml`.
|
||||
Locate the element `cache-container name="keycloak"` and change the eviction policy for the `users` cache.
|
||||
For more information see https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem[Infinispan Subsystem documentation].
|
||||
This chapter discusses some configuration options for these caches for both clustered a non-clustered deployments.
|
||||
|
||||
=== Disabling Caches
|
||||
|
||||
To disable the realm or user cache, you must edit the `keycloak-server.json` file in your distribution.
|
||||
Here's what the config looks like initially.
|
||||
Note: More advanced configuration of these caches can be found in link:{{book.caching.admindoc.link}}[{{book.caching.admindoc.name}}]
|
||||
|
||||
|
||||
[source]
|
||||
----
|
||||
|
||||
"userCache": {
|
||||
"infinispan" : {
|
||||
"enabled": true
|
||||
}
|
||||
},
|
||||
|
||||
"realmCache": {
|
||||
"infinispan" : {
|
||||
"enabled": true
|
||||
}
|
||||
},
|
||||
----
|
||||
|
||||
To disable the cache set the enabled field to false for the cache you want to disable:
|
||||
[source]
|
||||
----
|
||||
|
||||
"userCache": {
|
||||
"infinispan" : {
|
||||
"enabled": false
|
||||
}
|
||||
},
|
||||
|
||||
"realmCache": {
|
||||
"infinispan" : {
|
||||
"enabled": false
|
||||
}
|
||||
},
|
||||
----
|
||||
|
||||
=== Clear Caches
|
||||
|
||||
To clear the realm or user cache, go to the Keycloak admin console Realm Settings->Cache Config page.
|
||||
On this page you can clear the realm cache or the user cache.
|
||||
This will clear the caches for all realms and not only the selected realm.
|
||||
|
|
|
|||
5
topics/cache/clear.adoc
vendored
Executable file
5
topics/cache/clear.adoc
vendored
Executable file
|
|
@ -0,0 +1,5 @@
|
|||
=== Clearing Caches at Runtime
|
||||
|
||||
To clear the realm or user cache, go to the {{book.project.name}} admin console Realm Settings->Cache Config page.
|
||||
On this page you can clear the realm cache or the user cache.
|
||||
This will clear the caches for all realms and not only the selected realm.
|
||||
25
topics/cache/disable.adoc
vendored
Executable file
25
topics/cache/disable.adoc
vendored
Executable file
|
|
@ -0,0 +1,25 @@
|
|||
=== Disabling Caching
|
||||
|
||||
To disable the realm or user cache, you must edit the `keycloak-server.json` file in your distribution. Where
|
||||
this file lives depends on your <<fake/../../operating-mode.adoc#_operating-mode, operating mode>>
|
||||
Here's what the config looks like initially.
|
||||
|
||||
|
||||
[source,json]
|
||||
----
|
||||
|
||||
"userCache": {
|
||||
"infinispan" : {
|
||||
"enabled": true
|
||||
}
|
||||
},
|
||||
|
||||
"realmCache": {
|
||||
"infinispan" : {
|
||||
"enabled": true
|
||||
}
|
||||
},
|
||||
----
|
||||
|
||||
To disable the cache set the +enabled+ field to false for the cache you want to disable. You must reboot your
|
||||
server for this change to take effect.
|
||||
52
topics/cache/eviction.adoc
vendored
Executable file
52
topics/cache/eviction.adoc
vendored
Executable file
|
|
@ -0,0 +1,52 @@
|
|||
=== Eviction and Expiration
|
||||
|
||||
There is a realm cache that holds information about secured applications, general security data, and configuration options.
|
||||
This cache is unbounded and does not have a limit on entries. This might scare you a little bit, but the number of entries
|
||||
in this cache is pretty low compared to the user cache. There is a user cache that contains user metadata. It defaults to a maximum of 10000 entries and uses a least recently used eviction strategy.
|
||||
There are also separate caches for user sessions, offline tokens, and login failures. These caches are unbounded as well.
|
||||
|
||||
The eviction policy and max entries for these caches can be configured in the _standalone.xml_, _standalone-ha.xml_, or
|
||||
_domain.xml_ depending on your <<fake/../../operating-mode.adoc#_operating-mode, operating mode>>.
|
||||
|
||||
.non-clustered
|
||||
[source,xml]
|
||||
----
|
||||
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
|
||||
<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
|
||||
<local-cache name="realms"/>
|
||||
<local-cache name="users">
|
||||
<eviction max-entries="10000" strategy="LRU"/>
|
||||
</local-cache>
|
||||
<local-cache name="sessions"/>
|
||||
<local-cache name="offlineSessions"/>
|
||||
<local-cache name="loginFailures"/>
|
||||
<local-cache name="work"/>
|
||||
<local-cache name="realmVersions">
|
||||
<transaction mode="BATCH" locking="PESSIMISTIC"/>
|
||||
</local-cache>
|
||||
</cache-container>
|
||||
----
|
||||
|
||||
|
||||
.non-clustered
|
||||
[source,xml]
|
||||
----
|
||||
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
|
||||
<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
|
||||
<transport lock-timeout="60000"/>
|
||||
<invalidation-cache name="realms" mode="SYNC"/>
|
||||
<invalidation-cache name="users" mode="SYNC">
|
||||
<eviction max-entries="10000" strategy="LRU"/>
|
||||
</invalidation-cache>
|
||||
<distributed-cache name="sessions" mode="SYNC" owners="1"/>
|
||||
<distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
|
||||
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
|
||||
<replicated-cache name="work" mode="SYNC"/>
|
||||
<local-cache name="realmVersions">
|
||||
<transaction mode="BATCH" locking="PESSIMISTIC"/>
|
||||
</local-cache>
|
||||
</cache-container>
|
||||
----
|
||||
|
||||
To limit to expand the number of entries simply add, edit, or remove the +eviction+ element from the +invalidation-cache+ or
|
||||
+distributed-cache+ eviction policy you want to change.
|
||||
21
topics/cache/replication.adoc
vendored
Executable file
21
topics/cache/replication.adoc
vendored
Executable file
|
|
@ -0,0 +1,21 @@
|
|||
=== Replication and Failover
|
||||
|
||||
The +sessions+, +offlineSessions+ and +loginFailures+ caches are distributed caches which means that one more nodes
|
||||
is designated as the owner of a specific cache entry. If a node is not the owner of a specific cache entry it queries
|
||||
the cluster to obtain it. What this means for failover is that if the nodes that own a piece of data go down, that data
|
||||
is lost forever. By default, {{book.project.name}} only specifies one owner for data. So if that one node goes down
|
||||
that data is lost. This usually means that users will be logged out and will have to login again.
|
||||
|
||||
You can change the number of nodes that replicate a piece of data by change the +owners+ attribute in the +distributed-cache+ declaration
|
||||
|
||||
.owners
|
||||
[source,xml]
|
||||
----
|
||||
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
|
||||
<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
|
||||
<distributed-cache name="sessions" mode="SYNC" owners="2"/>
|
||||
...
|
||||
----
|
||||
|
||||
Here's we've changed it so at least two nodes will replicate one specific user login session.
|
||||
|
||||
Loading…
Reference in a new issue