Enhancing SCIM group and user API performance

Enhanced SCIM group API performance

From foundational services version 3.19 and later, the LDAP search is enhanced. Now, by default, foundational services supports the LDAP query filter size limit to up to 5000. With the LDAP query filter size enhancement, the group API performance has also enhanced because the bulk of group members can be searched in a single LDAP search. If there are huge number of members in a group, it is advised to increase the LDAP query filter size limit to at least 5000 for the configured LDAP to get the benefit from the enhanced performance of the group API calls.

Follow the tuning guidelines for the CPU and memory for the following observations, if you have large number of members in a group:

Note: The provided values in the following observations and tuning guidelines are the estimated values. These values might also depend on the other environmental factors such as, overall load, cluster health, network, etc.

Enhanced SCIM user API performance

IM has the following configuration parameters for SCIM users search API:

These SCIM configured parameters improve the overall response time to avoid the repeated authorization calls.

Changing the configured SCIM attributes by using the console

  1. Log in to the OpenShift Container Platform console as a user with cluster administrator access.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Change the following attribute values to true, as required:

    • SCIM_AUTH_CACHE_MAX_SIZE

    • SCIM_AUTH_CACHE_TTL_VALUE

  6. Click Save.

  7. From the navigation menu, click Workloads > Deployments.

  8. Locate platform-auth-service.

  9. Click ... > Edit Deployment. A window for editing displays.

  10. Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.

  11. Click platform-auth-service.

  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Changing the configured SCIM attributes by using CLI

  1. Log in to your infrastructure node by using the oc login command.

  2. Edit the platform-auth-idp configmap.

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    
  3. Change the following SCIM configured attributes parameter to a higher value:

    • SCIM_AUTH_CACHE_MAX_SIZE
    • SCIM_AUTH_CACHE_TTL_VALUE
  4. Save the changes.

  5. Restart the platform-auth-service pods by deleting the pods.

    1. Get the platform-auth-service pod names.

      oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
      
    2. Delete the platform-auth-service pod.

      oc -n <your-foundational-services-namespace> delete pods <pod-name>
      

Wait for some time and then check the status of the platform-auth-service pods. The status of all platform-auth-service pods must show as Running.

oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service

Custom Group filter support in SCIM User API

From foundational services version 3.19.9, 3.22, and later, the LDAP Group filter value is supported when you query for a group of SCIM user.

For example: User1 is part of four groups - icptest1, icptest2, isvtest1 and isvtest2 and you set this value "(&(cn=%v)(cn=*icptest*)(objectclass=person))" in the LDAP Group filter while creating the LDAP connection. When you query the User1 through the SCIM API, the User1 will only have icptest1 and icptest2 groups in the group section of the SCIM response.