Performance in Open Policy evaluation: takes seconds for each auth check

This topic has 5 replies, 2 voices, and was last updated 7 years, 5 months ago by mragunath.

  • Author
    Posts
  • #3073
     mragunath
    Participant

    Hello,

    I am not too sure to post the following problem here, if it is not the right place please advise me.

    Problem:
    The policy evaluation takes minimum 6 seconds for each access check and users are complaining about the performance.

    Observation:
    As part of the Authorization infrastructure associated to OpenAM policy engine, the problem we are currently facing is the policy evaluation is occurring across all the policies in the data store irrespective of the groups associated to the subject.

    Could you please advise is there anything wrong the way I have configured or is it meant to work in the way how it is behaving in my environment.

    Thanks in advance.

    • This topic was modified 7 years, 5 months ago by mragunath.
    #3082
     Peter Major
    Moderator

    You should probably provide the version of OpenAM you are using. OpenAM 11.0.0 introduced improvements around policy evaluation performance, so generally things should be much better from then on. Since you mentioned groups in your post, you may be also running into OPENAM-1964, but without the version number, it is hard to tell.

    #3090
     mragunath
    Participant

    Hi Peter,

    Thank you for the reply, we are running version 9.5.5.

    #3091
     mragunath
    Participant

    But I have been told that the 9.5.6 patch has been implemented in our environment and I could see the change in the AMIdentity class file (i.e. exclusion of the Group block) .

    #3105
     Peter Major
    Moderator

    In which case you should investigate a bit more on what is exactly taking up so much of the time. I would suggest to run jstacks against a slowly performing policy evaluation and see what takes long (alternatively look at the message level debug logs for similar kind of information.
    If you are more techy, then attach a profiler to the JVM to get more details about the problem.

    #3106
     mragunath
    Participant

    Thanks for the advise Peter. I will come back with enough information.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?