[KEYCLOAK-7952] Decision Cache Created: 27/Jul/18 Updated: 11/Feb/19
|Status:||Pull Request Sent|
|Reporter:||Pedro Igor||Assignee:||Michal Hajas|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||Keycloak Sprint 10, Keycloak Sprint 13|
|Docs QE Status:||NEW|
To provide better performance, we could support different layers of cache in order to quickly map past decisions with new authorization requests arriving at the server.
I can think of two main cache strategies:
Permission Cache is a cache that is able to map previously granted permissions to new authorization requests as follows:
This caching layer in certain cases could completely bypass the evaluation and just resolve permissions from the cache.
The Policy Decision Cache is a cache in front of each policy provider. Each provider should be able to map previous decisions to new evaluations. For instance, a cache in front of resource permissions could use the token representing the identity to remember decisions, similar to Permission Cache.
|Comment by Pedro Igor [ 23/Oct/18 ]|
Michal Hajas, are you OK to postpone this one to 5.x ?
|Comment by Michal Hajas [ 24/Oct/18 ]|
Pedro Igor Yeah, it works for me.
|Comment by Pedro Igor [ 24/Oct/18 ]|
Thanks. The reason behind this decision is that we are lacking the bandwidth to work on this as well changes are quite critical at this moment where we are close to deliver RHSSO 7.3.
|Comment by Stian Thorgersen [ 22/Jan/19 ]|
Pedro Igor what is the status on this and the level of effort to complete it?
|Comment by Michal Hajas [ 11/Feb/19 ]|
Stian Thorgersen I was out of the office for a longer time. With Pedro Igor we decided to do part of the caching differently, so I need to modify the PR. As I came after a long time I hope I will get to finish this soon.