Keycloak clustering in a dynamic environment

Configuring the server
1

Hi,
I read : https://github.com/keycloak/keycloak-containers/tree/master/server
And some of the links about clustering and it doesn’t really explain how the session caches are replicated. I don’t want users logged out when a server disappears and I’m going to run a very dynamic environment in AWS ECS.
So I want to set the CACHE_OWNERS_AUTH_SESSIONS_COUNT to a high number, so that all sessions are replicated to all nodes.
Overnight, we have one node. 9AM hundreds of people login and 5 more nodes boot up. 9:15 they’re logged in and we scale back to a single node - which holds all sessions.
Then later, we spin up new nodes. Do all the existing sessions from the remaining node then get replicated? Or do they only replicate sessions when they are created?
This time when we scale down, the original node could be destroyed. And if it hadn’t replicated all the 9am sessions, they would be lost.

(The idea that sessions have “owner nodes” makes it sound like they’d get created with a list of owners, that were available at the time. If those nodes are unavailable, why would it rewrite the owner list? Is it that clever?! :slight_smile: )

Do I need one guaranteed “master” node that is always available?

2

my understanding is that cache owners is a representation of how many of your cluster machines will contain a reference to your cache object.

so if it is set to a number greater than 1 - when you add your additional nodes it will rebalance the cache to other machines within the cluster - in effect distributing the cache within the cluster.

i would assume that if you downsize quickly from 5 or more nodes to a single node quickly - then you may lose cache data. maybe downsize 1 at a time to allow for a complete cache re-balance?

3

@simonpayne is right. The number of owners in Infinispan means “how many copies of data” will you have in your cluster. Whenever a node is added to cluster (or removed), Infinispan rebalances the cluster. If you scale down your cluster quickly, you may lose some data. In that case, Keycloak users will have to re-authenticate.

2 Likes