Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-8145

Avoid GrantSet ds-sync-hist attributes creating a performance problem



    • Improvement
    • Status: Dev backlog
    • Critical
    • Resolution: Unresolved
    • 7.1.0
    • 7.2.0
    • None


      When the AM OAuth2 Provider is configured to use the GrantSet storage scheme, AM stores all OAuth2 Grants for a given client + resource owner pair in a single CTS entry.

      If too many Grants are added to the GrantSet within the DS replication purge delay window the GrantSet entry can grow to a size which creates a performance problem for DS.

      Customers can control the number of active Grants by keeping refresh token and access token lifetimes short. As Grants expire they are removed from the GrantSet by AM and this helps to control the size (in bytes) of all user attributes. There is also a separate story to enforce quotas (AME-17689).

      However, when a Grant is deleted from the GrantSet a record of this modification is kept as a ds-sync-hist attribute. This attribute will remain in the entry until the replication purge delay has elapsed. Therefore, even if Grants are deleted the overall size of the entry can still grow too large if Grants are being created at a rate too fast for the currently configured replication purge delay.

      Other than reducing replication purge delay, we need some means to control entry size when the GrantSet storage scheme is used and a client is creating new Grants at a high frequency.


          Issue Links



              Unassigned Unassigned
              craig.mcdonnell Craig McDonnell
              0 Vote for this issue
              5 Start watching this issue