-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/fine-grained-permissions
Describe the bug
The response time of the Users Admin API ({{GET /admin/realms/
{realm}/users}}) with fine-grained permissions enabled for users (and a policy assigned to view) varies greatly depending on whether a user or service account is used and which roles are assigned to the respective user.It is the slowest for service accounts with the view-users role assigned, taking around 200ms locally compared to 16ms of a similar user account.
h3. Version
25.0.2
h3. Regression
[ ] The issue is a regression
h3. Expected behavior
The API should respond equally fast, regardless of the type of account or roles assigned.
h3. Actual behavior
The time it takes the API to responds varies greatly depending on the configuration.
h3. How to Reproduce?
This repository contains the files and instructions to reproduce this benchmark locally: https://github.com/giz-berlin/keycloak-fine-grained-authz-benchmark
Under these circumstances:
- admin-fine-grained-authz is enabled.
- The realm has fine grained permissions enabled for users and a policy assigned to the view permission.
- Having a larger set of users, e.g. >= 100
- Service account with view-users role from the realm-management client
Listing the users via {{GET /admin/realms/{realm}
/users}} with a service account token that has view-users role assigned takes extremely long, around 200ms locally.
Listing the users with a normal user account and view-users takes around 20ms, which is about an order of magnitude less than what it takes for a service account.
Adding the manage-users role brings this down even more.
On a realm without fine-grained authorization this is equally fast for all users, around 10ms locally.
Interestingly, if I assign query-users and query-groups (which are inherited through view-users) instead of view-users to the service account, the response time drops to around 35ms, even though no users are returned because of missing permissions I assume. Still slower than normal user account, but not that bad anymore.
Additionally, if you remove the policy from the view.permission.users permission of the realm-management client, the responses are equally fast again, so it seems to have something to do with the policy evaluation.
Anything else?
No response
- links to