Enhancing SCIM group and user API performance
Enhanced SCIM group API performance
From foundational services version 3.19 and later, the LDAP search is enhanced. Now, by default, foundational services supports the LDAP query filter size limit to up to 5000. With the LDAP query filter size enhancement, the group API performance has also enhanced because the bulk of group members can be searched in a single LDAP search. If there are huge number of members in a group, it is advised to increase the LDAP query filter size limit to at least 5000 for the configured LDAP to get the benefit from the enhanced performance of the group API calls.
Follow the tuning guidelines for the CPU and memory for the following observations, if you have large number of members in a group:
Note: The provided values in the following observations and tuning guidelines are the estimated values. These values might also depend on the other environmental factors such as, overall load, cluster health, network, etc.
-
A Group of approximately 21k members with concurrent access to 10 users, requires around 1500m of CPU and 1500Mi of memory, and 1 replica for the small profile.
-
If the number of concurrent access increases, you need to increase the number of replicas as well. For example, the same 21k members for concurrent access to 20 users, require around 3 replicas with the 1500m of CPU & 1500Mi of memory for the small profile.
-
If you have more members in the group, use the large profile instead of the small profile. For example,the large profile for a group of 87K members with the concurrent access to 10 users, needs around 3 replicas with 2550m of CPU and 2850Mi of memory.
Enhanced SCIM user API performance
From foundational services version 3.20 and later, IAM has introduced the following configuration parameters to improve the performance of the SCIM users search API:
-
SCIM_AUTH_CACHE_MAX_SIZE
: It indicates the maximum number of tokens that are stored in the cache. The default value is 1000. If you have multiple concurrent calls, it is recommended to tune this value. -
SCIM_AUTH_CACHE_TTL_VALUE
: It indicates the TTL value in second of each token that is stored in the cache. The default value is 60 seconds. If you have a long running process that simultaneously calls SCIM API for more than 60 seconds, it is recommended to tune this value.
These SCIM configured parameters improve the overall response time to avoid the repeated authorization calls.
Changing the configured SCIM attributes by using the console
- Log in to the Red Hat® OpenShift® Container Platform console as a user with cluster administrator access.
- From the navigation menu, click Workloads > Config Maps.
- Search for
platform-auth-idp
. - Click ... > Edit Config Map.
-
Change the following attribute values to
true
, as required:-
SCIM_AUTH_CACHE_MAX_SIZE
-
SCIM_AUTH_CACHE_TTL_VALUE
-
-
Click Save.
-
From the navigation menu, click Workloads > Deployments.
-
Locate
auth-idp
. -
Click ... > Edit Deployment. A window for editing displays.
-
Click Save without making any change. This step is to reload the
auth-idp
pods with the latest ConfigMap values. -
Click
auth-idp
. -
Wait for some time. Then, check the status of the
auth-idp
pods in the Pods pane. The status of all the pods must show as4/4
under the Ready field name.
Changing the configured SCIM attributes by using CLI
-
Log in to your infrastructure node by using the
oc login
command. -
Edit the
platform-auth-idp
configmap.oc -n ibm-common-services edit configmap platform-auth-idp
-
Change the following SCIM configured attributes parameter to a higher value:
SCIM_AUTH_CACHE_MAX_SIZE
SCIM_AUTH_CACHE_TTL_VALUE
-
Save the changes.
-
Restart the
auth-idp
pods by deleting the pods.-
Get the
auth-idp
pod names.oc -n ibm-common-services get pods | grep auth-idp
-
Delete the
auth-idp
pod.oc -n ibm-common-services delete pods <pod-name>
-
Wait for some time and then check the status of the auth-idp
pods. The status of all auth-idp
pods must show as Running
.
oc -n ibm-common-services get pods | grep auth-idp
Custom Group filter support in SCIM User API
From foundational services version 3.22 and later, the LDAP Group filter value is supported when you query for a group of SCIM user.
For example: User1 is part of four groups - icptest1
, icptest2
, isvtest1
and isvtest2
and you set this value "(&(cn=%v)(cn=*icptest*)(objectclass=person))"
in the LDAP
Group filter while creating the LDAP connection. When you query the User1 through the SCIM API, the User1 will only have icptest1
and icptest2
groups in the group section of the SCIM response.