Ok, Francesco, all is clear now. Thinking about the combination of Authentication and Authorization, I'll assume that "Login" is faster than "Read user", but must be added to "Read User" considering get Roles, Groups, etc.
I didn't notice the indication about concurrence. Good, maybe we will also try with more concurrent connections. Thank you very much! On Mon, Dec 10, 2018 at 5:42 PM Francesco Chicchiriccò <[email protected]> wrote: > On 10/12/18 10:36, Ciusso Hb wrote: > > Hi Francesco, thank you very much for the precise and concise answers. > > My idea of segregation is this: > an admin of a realm can manage users (CRUD) in that realm and cannot do > anything in other realms neither view those. > So I think this is the right approach. > > Correct. > > I've seen your blog post about performance, great and interesting work, > and I've a couple of questions about that: > - In the tests you don't consider authentication like "accessTokens/login" > or "users/self", is those comparable to "Read Existing User"? > > No, it's way less. > > - How many concurrent connections there were during the tests? > > As reported in the article: > > "The suite was configured for 10 concurrent threads, each running all the > operations for 30 loops, with ramp-up time of 10 seconds, for a total > duration of 20 minutes." > > So, 10 concurrent connections. > > Regards. > > On Mon, Dec 10, 2018 at 9:13 AM Francesco Chicchiriccò < > [email protected]> wrote: > >> Hi, >> please find my replies embedded below. >> >> Regards. >> >> On 08/12/18 23:29, Ciusso Hb wrote: >> > Hi all, this is my first message and I've got a bunch of questions. >> > >> > Apache Syncope looks really good and it's my plan to use it to manage >> > users of various branches of the same organization. >> > >> > I don't need different Domains (that I see like "tenant", is this >> > correct?), but I would like to be able to logically "segregate" users. >> > To achieve that my idea is to use Realms, is this a good choice? >> >> It depends on what you mean by "segregate": at which level you would >> like to separate users? With domains [1] you will end up in storing user >> entries onto different tables in different databases; without them, >> users will go anyway onto the same table. >> >> Realms [2] are meant for simplifying the definition of delegated >> administration [3]. >> >> > The number of branches will be 50k, 1 to 10 users each. >> > It will be possible the need to have "sub-branches" (max 2 levels). >> > >> > The number of Realms can be a problem? >> No. >> > The number of users can be a problem? >> 50k * 10 = 500k users; not an issue, especially if you plan to use >> Syncope with PostgreSQL JSONB [4]. >> > The use of many Realms can make performance worse? >> I don't think so: there should be enough indexes in the db to support >> such configuraiton. >> > A user from a Realm can see all users from all the Realms? >> >> If by "a user" you mean "a delegated administrator", the answer is no, >> there are hierarchy rules (on purpose, as you can read from [3]) to >> restrict such scope. >> >> [1] http://syncope.apache.org/docs/2.1/reference-guide.html#domains >> [2] http://syncope.apache.org/docs/2.1/reference-guide.html#realms >> [3] >> http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration >> [4] http://blog.tirasa.net/benchmarking-apache-syncope-on-postgresql.html > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellencehttp://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, > PonyMailhttp://home.apache.org/~ilgrosso/ > >
