I have a file cache-owners.cli and there are lines in it:
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
How can I change the storage from a local cache to a database (for example, PostgreSql) with information about current sessions
Keycloak use infinispan as cache. in default deployment the keycloak node itself act as in-memory infinispan node.
So you have 2 options.
config store into db(e.g. redis)
the more practical one: deploy external infinispan cluster and config keycloak to use remote-cache.
Related
I'm using a standalone Keycloak server. I have created one realm and a user inside that realm. When I log in the user and restart keycloak server, the session gets lost.
I am aware that keycloak saves user sessions data in Infinispan. But is there any way I can save/persist this user session data?
Or shall I create multiple nodes cluster and replicate the keycloak session data?
Please suggest what's best.
We also have this problem.
So far I think there are 2 solutions, neither of them is perfect:
1. Keep sessions in infinispan
You can use external infinispan instance as described in the docs. This is cumbersome because you need to keep an external infinispan instance.
If you don't want to use an external infinispan instance, you can set CACHE_OWNERS_COUNT in the docker image >=2. This will rebalance the cache between nodes and will make sure that an entry is saved in at lease CACHE_OWNERS_COUNT nodes. If you have many sessions (>1Million) you will run out of memory and the startup time will increase substantially because the cache needs to be rebalanced at each deploy.
Another issue is that you would loose the sessions when updating the infinispan instance.
2. Use offline sessions
Offline sessions are kept in the db and some of them are kept in the offline_sessions_cache. You can limit the number of offline sessions keycloak keeps in memory and stop preloading offline session for faster startup as described here.
This also has drawbacks:
SSO will not work after the server is restarted
You cannot change any offline session notes
I think there are some PRs in keycloak to have a persistent session store build in so please keep an eye on the progress on the keycloak Github page
Description
Is it possible for Spring Data Redis to use Elasticache's configuration endpoint to perform all cluster operations (i.e., reading, writing, etc.)?
Long Description
I have a Spring Boot application that uses a Redis cluster as data store. The Redis cluster is hosted on AWS Elasticache running in cluster-mode enabled. The Elasticache cluster has 3 shards spread out over 12 nodes. The Redis version that the cluster is running is 6.0.
The service isn't correctly writing or retrieving data from the cluster. Whenever performing any of these operations, I get a message similar to the following:
io.lettuce.core.RedisCommandExecutionException: MOVED 16211 10.0.7.254:6379
In searching the internet, it appears that the service isn't correctly configured for a cluster. The fix seems to be set the spring.redis.cluster.nodes property with a list of all the nodes in the Elasticache cluster (see here and here). I find this rather needless, considering that the Elasticache configuration endpoint is supposed to be used for all read and write operations (see the "Finding Endpoints for a Redis (Cluster Mode Enabled) Cluster" section here).
My question is this: can Spring Data Redis use Elasticache's configuration endpoint to perform all reads and writes, the way the AWS documentation describes? I'd rather not hand over a list of all the nodes if Spring Data Redis can use the configuration endpoint the way its meant to be used. This seems like a serious limitation to me.
Thanks in advance!
Here is what I found works:
#Bean
public RedisConnectionFactory lettuceConnectionFactory()
{
LettuceClientConfiguration config =
LettucePoolingClientConfiguration
.builder()
.*your configuration settings*
.build();
RedisClusterConfiguration clusterConfig = new RedisClusterConfiguration();
clusterConfig.addClusterNode(new RedisNode("xxx.v1tc03.clustercfg.use1.cache.amazonaws.com", 6379));
return new LettuceConnectionFactory(clusterConfig, config);
}
where xxx is the name from your elasticache cluster.
It's stated that Keycloak is built on top of the WildFly application server and its sub-projects like Infinispan (for caching) and Hibernate (for persistence).
Keycloak recommends to look in WildFly Documentation and High Availability Guide.
If understood correctly Standalone Clustered Configuration allows session replication or transmission of SSO contexts around the cluster.
I don't understand though if odd number of Keycloak nodes is required so that there will be quorum.
Singleton subsystem states
10.1.3. Quorum Network partitions are particularly problematic for singleton services, since they can trigger multiple singleton
providers for the same service to run at the same time. To defend
against this scenario, a singleton policy may define a quorum that
requires a minimum number of nodes to be present before a singleton
provider election can take place. A typical deployment scenario uses a
quorum of N/2 + 1, where N is the anticipated cluster size. This value
can be updated at runtime, and will immediately affect any active
singleton services. e.g.
Is it somehow related to Keycloak and its Standalone Clustered Configuration?
Response from Keycloak mailing list:
No, Keycloak uses Infinispan for caching and Infinispan uses JGroups for
clustering. JGroups doesn't need consensus.
It's stated that Keycloak is built on top of the WildFly application
server and its sub-projects like Infinispan (for caching) and Hibernate
(for persistence).
Keycloak recommends to look in WildFly Documentation and High Availability
Guide.
If understood correctly Standalone Clustered Configuration allows session
replication or transmission of SSO contexts around the cluster.
I don't understand though if odd number of Keycloak nodes is required so
that there will be quorum.
No it is not strictly required. As in almost all distributed systems,
having odd number of nodes helps recovering from Split Brain scenarios.
I have tried with templates provided at:
https://github.com/jboss-openshift/application-templates/blob/master/datagrid/datagrid71-mysql-persistent.json.
However, my entries are deleted after pod restarts.
The log is as follows:
ISPN000149: Fetch persistent state and purge on startup are both disabled, cache may contain stale entries on startup
Got a general question about load balancing setup in JBoss (7.1.1.Final). I'm trying to setup a clustered JBoss instance with a master and slave node and I'm using the demo app here (https://docs.jboss.org/author/display/AS72/AS7+Cluster+Howto) to prove the load balancing/session replication. I've basically followed through to just before the 'cluster configuration' section.
I've got the app deployed to the master and slave nodes and if I hit their individual IPs directly I can access the application fine. According to the JBoss logs and admin console the slave has successfully connected to the master. However, if I put something in the session on the slave, take the slave offline, the master cannot read the item that the slave put in the session.
This is where I need some help with the general setup. Do I have to have a separate apache httpd instance sat in front of JBoss to do the load balancing? I thought there was a load balancing capability built into JBoss that wouldn't need the separate server, or am I just completely wrong? If I don't need apache, please could you point me in the direction of instructions to setup the JBoss load balancing?
Thanks.
Yes, you need a Apache or any other software or hardware that allows you to perform load balancing of the HTTP request JBoss Application Server does not provide this functionality.
For proper operation of the session replication you should check that the server configuration and the application configuration is well defined.
On the server must have the cache enabled for session replication (you can use standalone-ha.xml or standalone-full-ha.xml file for initial config).
To configuring the application to replicate the HTTP session is done by adding the <distributable/> element to the web.xml.
You can see a full example in http://blog.akquinet.de/2012/06/21/clustering-in-jboss-as7eap-6/