How to Use Apache Cassandra as User and Session DataStore in OpenAM
One of the performance bottlenecks of authentication is User DataStore. This becomes noticeable when the total number of user accounts exceeds 4 000 000.
To maintain acceptable performance, the most obvious solution is to scale User DataStore horizontally or vertically. But with an increasing amount of data, DataStore scaling does not affect performance.
With the increasing load on the authentication system, the most obvious solution is to scale horizontally or vertically the number of user repository nodes.
Another alternative solution is to use storage specifically designed for working with large amounts of data. One of such storages is Apache Cassandra. It has proved itself as a high-availability and high-performance datastore.
Allow materialized views for Cassandra 4+ (in version 3 enabled by default) in conf/cassandra.yaml:
# Enables materialized view creation on this node.
# Materialized views are considered experimental and are not recommended for production use.
enable_materialized_views: trueСreate the corresponding Keyspaces and tables, for each OpenAM realm, from template import.cql
bin/cqlsh -f import.cqlСreate the corresponding Keyspaces and tables, for OpenAM CTS, from template schema.cqlsh
bin/cqlsh -f schema.cqlshAdd cassandra contact-points info in bin/setenv.sh and restart OpenAM:
export CATALINA_OPTS=" ... \
-Ddatastax-java-driver.basic.contact-points.0=ip1:9042 \
-Ddatastax-java-driver.basic.contact-points.1=ip2:9042 \
-Ddatastax-java-driver.basic.load-balancing-policy.local-datacenter=datacenter1 \
-Ddatastax-java-driver.advanced.auth-provider.class=PlainTextAuthProvider \
-Ddatastax-java-driver.advanced.auth-provider.username=user \
-Ddatastax-java-driver.advanced.auth-provider.password=password \
"Open OpenAM administration console, goto Realms select target realm, then goto DataStores and create new DataStore.
Then setup following settings:
| Setting | Value |
|---|---|
| Servers | don't use (leave blank) |
| User name | don't use (leave blank) |
| Password | don't use (leave blank) |
| Password (confirm) | don't use (leave blank) |
| Keyspace | Cassandra keyspace for this realm realm_name
|
| Setting | Value |
|---|---|
| Database Repository Plugin Class Name | org.openidentityplatform.openam.cassandra.Repo |
| Tables |
group=groupuser=userrealm=realm
|
| Operations |
realm=read,create,edit,delete,service group=read,create,edit,deleteuser=read,create,edit,delete,service
|
| Setting | Value |
|---|---|
| TTL |
realm:attr1=86400 user:attr2=86400 group:attr3=86400
|
| Attribute Name of User Status | inetuserstatus |
| User Status Active Value | Active |
| Setting | Value |
|---|---|
| Attribute Name for Group Membership | memberOf |
Click the Save button
You can check datastore. Goto Subjects -> Users and create a new user account. For example:
Click Save and make sure, the record exists in Cassandra:
cassandra@cqlsh:realm_name> SELECT * FROM realm_name.values ;
Add cassandra external CTS settings in bin/setenv.sh:
export CATALINA_OPTS=" ... \
-Dorg.forgerock.openam.sm.datalayer.module.CTS_ASYNC=org.openidentityplatform.openam.cassandra.CTSAsyncConnectionModule \
-Dorg.forgerock.openam.sm.datalayer.module.CTS_MAX_SESSION_TIMEOUT_WORKER=org.openidentityplatform.openam.cassandra.CTSConnectionModule \
-Dorg.forgerock.openam.sm.datalayer.module.CTS_SESSION_IDLE_TIMEOUT_WORKER=org.openidentityplatform.openam.cassandra.CTSConnectionModule \
-Dorg.forgerock.openam.sm.datalayer.module.CTS_EXPIRY_DATE_WORKER=org.openidentityplatform.openam.cassandra.CTSConnectionModule \
-Dorg.forgerock.services.cts.store.root.suffix=cts.tokens \
"restart OpenAM, login and check session info in Cassandra
cassandra@cqlsh:cts> SELECT * FROM cts.tokens ;
