[midPoint] Help optimizing metarole that's called over 1000 times per user.

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Wed Feb 20 19:48:30 CET 2019


Thank you Arnošt, just started testing this, seems promising.

Em qua, 20 de fev de 2019 às 06:28, Arnošt Starosta - AMI Praha a.s. <
arnost.starosta at ami.cz> escreveu:

> Hi Alcides,
>
> i don't see the problem with your org/role hierarchy, but if the role gets
> evaluated too many times, role idempotence configuration always comes to
> mind
>
>
> https://wiki.evolveum.com/display/midPoint/Roles+and+Policies+Configuration#RolesandPoliciesConfiguration-IdempotentRoles
>
> If you don't need the metarole evaluated for every single assignment path,
> try setting idempotence to conservative or aggressive.
>
> But maybe you don't have 1500 assignment paths on a single user and then I
> just don't know.
>
> arnost
>
> út 19. 2. 2019 v 22:31 odesílatel Alcides Carlos de Moraes Neto <
> alcides.neto at gmail.com> napsal:
>
>> Hello list,
>>
>> We have a very simple metarole that is applied to Roles in order to turn
>> them into AD groups, done based on the documentation example (
>> https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization#Roles,MetarolesandGenericSynchronization-Higher-OrderInducements).
>>
>>
>> We extend it, adding more inducements with associationFromLink. In total,
>> there are 10 order=2 inducements. One for simple user account membership.
>> Another for group-group membership, and the other 8 are for Org types, one
>> for each AD projection that orgs can have. For these, there are script
>> conditions that check for some assignment fields values.
>>
>> It all works just fine, however it performs horribly. When making changes
>> or recomputing a user with very few assignments, just a Org and a group,
>> the invocation count for this Metarole can reach 1500 calls. Each call is
>> fast, but they add up to 500ms sometimes.
>>
>> This will not happen for users with no Org assigned. It seems midPoint
>> goes 'nuts' and validates this metarole for every Org up in the
>> organization tree. We do have a fairly complex Org Tree, with almost 1300
>> Orgs. But all the inducements are order=2, shoulnd't only the immediate Org
>> be validated?
>>
>> Any help here will be appreciated, thanks.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
>
> *Arnošt Starosta*
> solution architect
>
> gsm: [+420] 603 794 932
> e‑mail: arnost.starosta at ami.cz
>
> *AMI Praha a.s.*
> Pláničkova 11, 162 00 Praha 6
>
> tel.: [+420] 274 783 239 | web: www.ami.cz
>
> [image: AMI Praha a.s.]
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
> obsahovat důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190220/616db7f1/attachment.htm>


More information about the midPoint mailing list