Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1852

[GHI#31519] Admin API extremely slow with service account and fine-grained authorization `view-users`

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      admin/fine-grained-permissions

      Describe the bug

      The response time of the Users Admin API ({{GET /admin/realms/

      {realm}/users}}) with fine-grained permissions enabled for users (and a policy assigned to view) varies greatly depending on whether a user or service account is used and which roles are assigned to the respective user.

      It is the slowest for service accounts with the view-users role assigned, taking around 200ms locally compared to 16ms of a similar user account.

      h3. Version

      25.0.2

      h3. Regression

      [ ] The issue is a regression

      h3. Expected behavior

      The API should respond equally fast, regardless of the type of account or roles assigned.

      h3. Actual behavior

      The time it takes the API to responds varies greatly depending on the configuration.

      h3. How to Reproduce?

      This repository contains the files and instructions to reproduce this benchmark locally: https://github.com/giz-berlin/keycloak-fine-grained-authz-benchmark

      Under these circumstances:

      - admin-fine-grained-authz is enabled.
      - The realm has fine grained permissions enabled for users and a policy assigned to the view permission.
      - Having a larger set of users, e.g. >= 100
      - Service account with view-users role from the realm-management client

      Listing the users via {{GET /admin/realms/{realm}

      /users}} with a service account token that has view-users role assigned takes extremely long, around 200ms locally.

      Listing the users with a normal user account and view-users takes around 20ms, which is about an order of magnitude less than what it takes for a service account.
      Adding the manage-users role brings this down even more.

      On a realm without fine-grained authorization this is equally fast for all users, around 10ms locally.

      Interestingly, if I assign query-users and query-groups (which are inherited through view-users) instead of view-users to the service account, the response time drops to around 35ms, even though no users are returned because of missing permissions I assume. Still slower than normal user account, but not that bad anymore.

      Additionally, if you remove the policy from the view.permission.users permission of the realm-management client, the responses are equally fast again, so it seems to have something to do with the policy evaluation.

      Anything else?

      No response

            Unassigned Unassigned
            pvlha Pavel Vlha
            Keycloak Core IAM
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: