[midPoint] Midpoint 3.4.1 Performance Issues UI and REST
Ivan Noris
ivan.noris at evolveum.com
Wed Nov 2 12:53:54 CET 2016
Hmm,
I was expecting to see associationTargetSearch witch searchOnResource;
that could be optimized. But these associationFromLink should be OK.
I hope the answer provided by Pavol will help you (and us) to trace the
root of the problem further.
Ivan
On 11/02/2016 12:49 PM, Martin Herbert wrote:
>
> Hi Ivan,
>
>
>
> Yes the assignments are setup to add users to groups. We have
> multiple AD Domains and the groups reside on each domain. The below
> is the metarole we have associated with each role within Midpoint
> itself that has the logic to map it to all resources where relevant.
>
>
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
>
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>
>
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>
> oid="aef77645-a406-4598-be2e-6c7217944fe1"
>
> version="76">
>
> <name>Metarole for groups</name>
>
> <metadata>
>
> <createTimestamp>2016-10-14T06:52:38.197Z</createTimestamp>
>
> <creatorRef oid="a507b312-69a5-422a-852a-3d1d5f1f02b9"
> type="c:UserType"><!-- admin.dm --></creatorRef>
>
>
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
>
> </metadata>
>
> <inducement id="1">
>
> <construction>
>
> <resourceRef oid="58535b46-2326-4b4e-9d9c-67c8cfa8fdfa"
> type="c:ResourceType"><!-- Active Directory eu1.tahzooint.com (LDAP)
> --></resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </construction>
>
> <condition>
>
> <source>
>
> <c:path>$immediateRole/roleType</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>roleType != "system"</code>
>
> </script>
>
> </expression>
>
> </condition>
>
> </inducement>
>
> <inducement id="2">
>
> <construction>
>
> <resourceRef oid="58535b46-2326-4b4e-9d9c-67c8cfa8fdfa"
> type="c:ResourceType"><!-- Active Directory eu1.tahzooint.com (LDAP)
> --></resourceRef>
>
> <kind>account</kind>
>
> <intent>user</intent>
>
> <association>
>
> <c:ref>ri:group</c:ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> <condition>
>
> <source>
>
> <c:path>$user/organizationalUnit</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>organizationalUnit.toString() == 'Employees
> Delft' || organizationalUnit.toString() == 'Employees Milton Keynes'
> || organizationalUnit.toString() == 'Employees Maarssen' ||
> organizationalUnit.toString() == 'Employees Borlange' ||
> organizationalUnit.toString() == 'Contractors EXLRT' ||
> organizationalUnit.toString() == 'Contractors EU' ||
> organizationalUnit.toString() == 'Customers EU'</code>
>
> </script>
>
> </expression>
>
> </condition>
>
> </inducement>
>
> <inducement id="4">
>
> <construction>
>
> <resourceRef oid="f8939b78-2bd6-4eb4-b886-548b414ae9ff"
> type="c:ResourceType"><!-- Active Directory NA1.tahzooint.com (LDAP)
> --></resourceRef>
>
> <kind>account</kind>
>
> <intent>user</intent>
>
> <association>
>
> <c:ref>ri:group</c:ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> <condition>
>
> <source>
>
> <c:path>$user/organizationalUnit</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>organizationalUnit.toString() == 'Employees DC'
> || organizationalUnit.toString() == 'Employees Richmond' ||
> organizationalUnit.toString() == 'Contractors USEast' ||
> organizationalUnit.toString() == 'Customers USEast'</code>
>
> </script>
>
> </expression>
>
> </condition>
>
> </inducement>
>
> <inducement id="6">
>
> <construction>
>
> <resourceRef oid="9ebeffc4-d1ce-4e6e-8077-4a77883cb04f"
> type="c:ResourceType"><!-- Active Directory NA2.tahzooint.com (LDAP)
> --></resourceRef>
>
> <kind>account</kind>
>
> <intent>user</intent>
>
> <association>
>
> <c:ref>ri:group</c:ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> <condition>
>
> <source>
>
> <c:path>$immediateRole/organizationalUnit</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>organizationalUnit.toString() == 'Employees
> Seattle' || organizationalUnit.toString() == 'Contractors USWest' ||
> organizationalUnit.toString() == 'Customers USWest'</code>
>
> </script>
>
> </expression>
>
> </condition>
>
> </inducement>
>
> <inducement id="3">
>
> <construction>
>
> <resourceRef oid="f8939b78-2bd6-4eb4-b886-548b414ae9ff"
> type="c:ResourceType"><!-- Active Directory NA1.tahzooint.com (LDAP)
> --></resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </construction>
>
> <condition>
>
> <source>
>
> <c:path>$immediateRole/roleType</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>roleType != 'system'</code>
>
> </script>
>
> </expression>
>
> </condition>
>
> </inducement>
>
> <inducement id="5">
>
> <construction>
>
> <resourceRef oid="9ebeffc4-d1ce-4e6e-8077-4a77883cb04f"
> type="c:ResourceType"><!-- Active Directory NA2.tahzooint.com (LDAP)
> --></resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </construction>
>
> <condition>
>
> <source>
>
> <c:path>$immediateRole/roleType</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>roleType != 'system'</code>
>
> </script>
>
> </expression>
>
> </condition>
>
> </inducement>
>
> </role>
>
>
>
>
> <http://www.tahzoo.com>
> Martin Herbert
> Hosting Manager / Head of IT & Hosting Services
>
> M: *+44 7862 993 003* <tel:+44%207862%20993%20003>
>
> E: *martinh at tahzoo.com* <mailto:martinh at tahzoo.com> | W:
> *www.tahzoo.com* <http://www.tahzoo.com>
>
> A: *399 Silbury Blvd, Milton Keynes, MK9 2AH, *
> <https://www.google.com/maps/place/399+Silbury+Blvd,+Milton+Keynes+MK9+2AH,+UK/@52.0414531,-0.7670066,17z/data=%213m1%214b1%214m5%213m4%211s0x4877aa98b50bb921:0xef39de0bd21f30c6%218m2%213d52.0414531%214d-0.7648179>
>
>
>
> *From: *midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Ivan Noris <ivan.noris at evolveum.com>
> *Organization: *Evolveum, s.r.o.
> *Reply-To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Date: *Wednesday, 2 November 2016 at 11:36
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] Midpoint 3.4.1 Performance Issues UI and REST
>
>
>
> Hi Martin,
>
> are those 42 assignments using associationTargetSearch to put accounts
> to e.g. groups?
>
> If so, can you paste an example how are you using it?
>
> Best regards,
>
> Ivan
>
>
>
> On 11/02/2016 11:53 AM, Martin Herbert wrote:
>
> Hi Guys,
>
>
>
> We’ve constantly been suffering with performance issues on our
> Midpoint environment. The setup includes a cluster of 2 servers
> with around 10,000 objects. Although user account modifications
> are fairly quick when it comes to a small number of assignments (1
> or 2 maximum), there is a significant performance issue with a
> larger amount of assignments. Testing my own account during
> reconciliation which has 42 assignments and 2 projections to
> different AD resources which can take up to 5 minutes before
> completion.
>
>
>
> From an integration standpoint for these two projections, one of
> the AD servers utilises the .Net Connector which is still slow,
> but much quicker than the OpenICF integration on the other projection.
>
>
>
> We also have a password tool that integrates with the REST
> services for Midpoint, the same issue also applies here. The more
> assignments that are on an account, the longer it takes for a
> password change to occur. And in a number of cases even timeouts
> for a given account.
>
>
>
> The major pain point is the password changes, is there no way
> password changes can be done without removing and re-adding all
> assignments for each given account?
>
>
>
> Overall performance also seems to be an issue in some browsers as
> well (Firefox for example). Is there a list of supported browsers
> available?
>
>
>
> Thanks
>
>
>
> <http://www.tahzoo.com>
>
>
>
> *Martin Herbert*
>
> *Hosting Manager / Head of IT & Hosting Services*
>
> *M: *
>
>
>
> *+44 7862 993 003* <tel:+44%207862%20993%20003>
>
> *E: *
>
>
>
> *martinh at tahzoo.com* <mailto:martinh at tahzoo.com>
>
>
>
> |
>
>
>
> *W: *
>
>
>
> *www.tahzoo.com* <http://www.tahzoo.com>
>
> *A: *
>
>
>
> *399 Silbury Blvd, Milton Keynes, MK9 2AH, *
> <https://www.google.com/maps/place/399+Silbury+Blvd,+Milton+Keynes+MK9+2AH,+UK/@52.0414531,-0.7670066,17z/data=%213m1%214b1%214m5%213m4%211s0x4877aa98b50bb921:0xef39de0bd21f30c6%218m2%213d52.0414531%214d-0.7648179>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/fea2a951/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1293 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/fea2a951/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1068 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/fea2a951/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1294 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/fea2a951/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1069 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/fea2a951/attachment-0003.png>
More information about the midPoint
mailing list