grouper-users - [grouper-users] RE: Load testing the Grouper UI with JMeter
Subject: Grouper Users - Open Discussion List
List archive
- From: "Redman, Chad Eric" <>
- To: "Hyzer, Chris" <>, "" <>
- Subject: [grouper-users] RE: Load testing the Grouper UI with JMeter
- Date: Thu, 19 Jan 2017 19:55:16 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:Qsnd7hVN7sD4ehXKXpdcNb2EQpjV8LGtZVwlr6E/grcLSJyIuqrYZRWFuKdThVPEFb/W9+hDw7KP9fuxBSpcuN3Y6itKWacPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIhi7qQrcutMZjId/Jao91wXFr3VVcOlK2G1kIk6ekQzh7cmq5p5j9CpQu/Ml98FeVKjxYro1Q79FAjk4Km45/MLkuwXNQguJ/XscT34ZkgFUDAjf7RH1RYn+vy3nvedgwiaaPMn2TbcpWTS+6qpgVRHlhDsbOzM/7WrajNF7gqBGrxK7vxFxw5DabpyJNPRwfa3dc9EVRWtdUcheWCNMGZ+8b5ITA+YdIepUs5Txql0TphW+HwmsA+bvxydGinHqw6I1zuEhHhvA3AA4AtkDrnTUo8/oO6wPXu611qjIwinNY/hL3jry9IjIfQo8rv6UR7J/b9feyUw1GAPDlViQtIrlMC+P2usTrmeb8vNtWOSygGAprAFxpyKgxsYqioTRhoIV1kzE9T1iz4kvPt24SVJ0bsS5EJtMtyGVKY12Qt8jQ250oik61rwGuZm9fCkE0psn3APfa+eZfIeV+B7jVeCRLS9li3JiZL2/hAi98VK6xuLgUcm01U5GoTBdktbWqn8N1wLc5tKASvtn8UetwTaP1xzP6uFcIUA7i7DUJIM/zb4qjZofq1jDHijulEXxka+WakEk+u+v6+TkeLnpupicN4pyhwrjMaougtSyDfoiPQQSQmSW/Pmw2KD+8UD8TrVHgeE6nrXcvZDUO8sWqbC1DgpQ34si5RuzEy+q3MkYkHUZNl5JZgiLg5X1N13QOvz0EPiyjleqnTx23f7JJKfhDY/ILnXbkLfuY7J960lExQQr0d1R4I5YBqwYLP/uWED9qsXUDhgiPAOq2ernD8h91p8FVmKIH6+ZNr7dvUWQ5uI1JOmMeJEatyrhK/gk4P7ui2U1mVgAfam12ZsXb3e4Hvd8L0qFZnrsh88NEWYMvgUgUOznkEOOXiRPa3qvWq8w+yw3BJ+jAIfNSY2hnKCN0SK1HpJIaW1KFFWBHHLpeoiKR/sAcCeSLdVgkjwAW7ihUYgh1RS2uQDmy7poNPfb9TUCtZ39ydd14vfclRcp+DxpCcSSz3uBQH9pkWMVXzM2xrxwoVRhylef1qh1m/NYFcZU5/NUSgc1K4Tcw/VnC9DpRA3BZMyJRU2iQtWnGjExUskxz8EUb0Z8HdWikg7M3zCsA7ALi7yHGoY4/bzB0HjsdI5BzCOM9LgzgkNiCuBPL2y9zOYr8gPTFpzEiW2YjK3saLwR2iiL+Wuemy7G9k5CVxNoXL+AQGsSfFD+rNLl61nEQqP0T7krL0EJncGYLbZSZ8eskE5LXuzLOdLCbni3lnvqQxuE2+XfQpDtfjBX5ijRDUEC10g4/X+KfSUkByzr6zbVDDViIkjib0bl98Fjrnj9Q0MpmVLZJ3Z93qa4r0ZGzceXTOkei+oJ
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
We just went live 2 weeks ago, and the users are thrilled. So I would say the
performance is acceptable :)
The folder tree browsing is only noticeable when you're used to doing it as
root, because there it's almost instantaneous. As a user, if I'm trying to
get somewhere 6 levels deep (which happens), 1.5 seconds per level adds up
fast. I did look at both the source code and the query, and I didn't see an
obvious fix other than setting that one property that bypasses the privilege
check for subfolders.
I was surprised at the performance of the subject search, because neither I
nor anyone else noticed it outside of JMeter. We have 5 different LDAP
sources, so a 3.5 seconds return time is still good for us. But query tuning
may be worth looking into; if the search term doesn't match any groups in the
base query, adding a clause to do a privilege check shouldn't be having much
effect.
Feel free to put this in the wiki -- including the zip file, since it's going
to be stopped by many people's mail filters on the list.
-Chad
-----Original Message-----
From: Hyzer, Chris
[mailto:]
Sent: Thursday, January 19, 2017 2:15 PM
To: Redman, Chad Eric
<>;
Subject: RE: Load testing the Grouper UI with JMeter
That's great Chad. Thanks so much for doing this work and sharing the
results.
Do you think it would be helpful to put some of this on a wiki for others to
find?
Overall do you consider performance to be acceptable, i.e. the test is a
pass? No jiras about performance?
Yes, large datasets are slower than small data sets.
Wheel has better performance than non wheel due to privilege checking as you
mentioned.
Folder tree browsing is slow, but I don't think its impractical right? (I
think of impractical as over ~15 seconds)
Searching for subjects looks at groups (since groups are subjects), and when
adding in privileges it gets tedious for the database.
Thanks
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Redman, Chad Eric
Sent: Thursday, January 19, 2017 1:50 PM
To:
Subject: [grouper-users] Load testing the Grouper UI with JMeter
During our process of upgrading Grouper to the latest version, we wanted to
do some load testing in a pre-preproduction environment. Since our
non-production installs are lightly used, our primary aim was to exercise the
application, Java container, and web server under a light but steady load, as
a predictor of how the application will fare in production. A secondary
purpose was to get timing results for the various features, comparing them
with the previous version, which for us was the quite old 1.6.3. Stress
testing wasn't a goal, as the UI for our production install isn't used that
heavily.
For our load tests, we used Apache JMeter 3.0 from
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjmeter.apache.org%2F&data=01%7C01%7Cchad_redman%40unc.edu%7C655c0dcce2774124d21608d4409f6dfc%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=7wt50BDA7JowIhGsfctOrLdl6QYr%2BXpSxK9wSj9D3jQ%3D&reserved=0.
Tests were done from a Windows 7 desktop. The specs for our institutional
Grouper installation are:
- Apache web server, Glassfish 3.1.2 Java container (2-server cluster)
- Oracle 11 database
- Grouper 2.3.0 with patches through api #22
For comparison, we also ran the same load test against Unicon's Grouper
Docker container
(https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhub.docker.com%2Fr%2Funicon%2Fgrouper-demo%2F&data=01%7C01%7Cchad_redman%40unc.edu%7C655c0dcce2774124d21608d4409f6dfc%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=FX%2Fy7%2BZ1%2B979Ev5iAfonWnjZI4SOVXdrTygaaZzbtu8%3D&reserved=0,
version 2.3.0-2017-01-08), running from the same Windows 7 desktop.
JMeter Implementation
The JMeter test plan uses a few different data sources in order to vary the
tests during multiple loops. A login source specifies usernames and passwords
for administrator, privileged user (e.g., has admin access to certain
groups), and normal users. A folder id source lists the UUID values for a
small number of stems, to simulate expanding folders in the directory tree
browser. A group and member source lists groups, stems, and users by UUID to
test calls to access various content.
Our institutional server uses Shibboleth SSO for authentication. When testing
this server, a one-time step per thread loop does the initial SSO session
setup, extracting session parameters as necessary. For the Docker
application, HTTP Basic authentication was used. In this case, a BeanShell
step Base64 encodes the username and password to include in the HTTP headers.
To switch from one authentication method to the other, the pertinent steps
are enabled and disabled as appropriate.
Because the new UI includes CSRF protection, it's necessary to include the
value for OWASP_CSRFTOKEN for most of the requests. At the start of each
thread loop, the value for OWASP_CSRFTOKEN is extracted from the first page
that is accessed. This value is then included in subsequent pages where it's
required.
The pages and Ajax requests accessed in each loop are:
1. Initial landing page
2. Directory browser (lower left) - root level
3. Home page, main content area
4. Directory tree, opening various folders (loop)
5. My groups
6. My folders
7. My favorites
8. Search result (the upper right corner)
9. View group
10. View stem
11. View users
12. Add member autocompletion result (after 2 chars) - Dojo Ajax return HTML
13. Trace membership
14. View group privileges
15. Trace privileges
16. Group memberships in other groups
17. View group audit log (if user is in wheel group)
Results
Non-Production Institutional server
Function | msec (wheel user) | msec (privileged user)
---------+-------------------+-----------------------
Home Page authorized | 43 | 56
Directory Browser frame - root folder | 50 | 1506
Content frame - home | 305 | 240
Open Stem in Directory Tree | 48 | 1523
Content frame - my groups | 185 | 81
Content frame - my folders | 59 | 586
Content frame - my favorites | 74 | 87
Content frame - search result (upper right) | 163 | 3516
Content frame - view group | 649 | 483
Content frame - view stem | 107 | 2531
Content frame - view user | 282 | 1562
Content frame - add member autocomplete (after 2 chars) | 626 | 866
Content frame - trace membership | 616 | 1741
Content frame - view group privileges | 189 | 168
Content frame - group memberships in other groups | 122 | 122
Content frame - view group audit log | (not tested)
Note: Tracing privileges was not performed, as the installation did not
include the fix from patch #38, and the request timed out after 2 minutes.
Docker Image
Function | msec (wheel user) | msec (privileged user)
---------+-------------------+-----------------------
Home Page authorized | 26 | 19 | 17
Directory Browser frame - root folder | 38 | 105 | 94
Content frame - home | 88 | 61 | 60
Open Stem in Directory Tree | 27 | 91 | 92
Content frame - my groups | 84 | 28 | 32
Content frame - my folders | 37 | 57 | 59
Content frame - my favorites | 15 | 21 | 16
Content frame - search result (upper right) | 92 | 175 | 182
Content frame - view group | 285 | 25 | 88
Content frame - view stem | 87 | 178 | 175
Content frame - view user | 101 | 54 | 72
Content frame - add member autocomplete (after 2 chars) | 33 | 45 | 68
Content frame - trace membership | 211 | 21 | 61
Content frame - view group privileges | 312 | 23 | 23
Content frame - trace privileges (note 1) | 1374 | 27 | 25
Content frame - group memberships in other groups | 126 | 37 | 44
Content frame - view group audit log | 430 | 23 | 32
(note 1) Also tested with the 2.3.0-2016-12-13 Unicon Docker image, where the
time for wheel user was 1767 msec instead of 1374. This build was from before
API patch #38, a patch which addressed performance issues with privilege
tracing.
Comparison with existing production version 1.6.3
Function | msec (wheel user) | msec (privileged user) || v1.6.3 (wheel user)
| v1.6.3 (privileged user)
---------+-------------------+-----------------------
SSO Login | 85 | 98 || 78 | 56
SP Start Session | 41 | 39 || 41 | 36
Content frame - home | 305 | 240 || 182 | 155
Open Stem in Directory Tree | 48 | 1523 || 152 | 186
Content frame - search result (note 1) | 163 | 3516 || 14525 | 25639
Content frame - view group (note 2) | 649 | 483 || 98 | 50
view group list members | - | - || 561 | 37
Content frame - view stem | 107 | 2531 || 179 | 480
Content frame - view user | 282 | 1562 || 340 | 314
Content frame - trace membership | 616 | 1741 || 147 | 38
Content frame - view group privileges | 189 | 168 || 151 | 38
Content frame - group memberships in other groups | 122 | 122 || 66 | 60
(note 1) Changes in our sources.xml configuration led to great improvement in
search time between 1.6.3 and 2.3.0
(note 2) The group page in the v2 new UI includes the list of group members
in the group page, whereas the membership listing is a separate page in 1.6.3.
Analysis
For some pages, there is a large difference between the Docker image and our
installation. This is likely due to the much larger data set: We have 23,000
group, 168,000 members, and 845,000 memberships in our development
installation, while the Docker setup has 43 groups, 1044 members, and 5175
memberships.
Some of the unusually low response times for non-wheel users are not due to
good performance, but rather represent an error response due lack of access.
This is especially true for the unprivileged user, which explains why some of
the responses are faster for an unprivileged user than for a privileged one.
Some functions show a large difference between wheel and non-wheel access.
This is likely due to the additional privilege checking performed for users,
which is bypassed for wheel members. The biggest differences are in the
folder tree browser (in the lower left of the page), viewing stems and users,
tracing memberships, and viewing the list of search results. The slowness is
particularly noticeable in the folder tree browser, where it's slow to the
point of being impractical for users as a way to navigate to a group. In the
Docker installation, differences can be seen between wheel and users for most
of the same functions, but the difference is less pronounced.
In the past, we had looked into the folder tree performance issue. Adding
additional Oracle indexes would improve the speed by about 33%, but the
response per folder was still over 1 second. Note that this response is with
the Grouper setting security.show.folders.where.user.can.see.subobjects =
false. Without this setting, the response would be around 3 seconds per
folder list.
The speed difference for a general subject search between wheel and normal
users is also notable. We did not do much further analysis to understand the
cause. It does not seem strongly correlated with the number of results; even
queries that return zero subjects take over 1.5 seconds to return the
response for a non-wheel user.
Comparing a v1.6.3 release with similar data, not all of the new UI functions
mapped well to pages in the older UI. Where there were similar functional
pages between versions, there was a similar performance in most pages for a
wheel user. Viewing a stem or user was faster. Viewing the home page or a
group's membership in other groups was slower, but still in a sub-300
millisecond response that would not be very noticeable by the user. Tracing a
membership was significantly slower in 2.3.0, going from 150 msec to 600+
msec. Viewing a group was also slower; however, the 1.6.3 version kept group
data and membership in separate pages. When combining the responses of the
group page plus the membership listing, the timing is comparable to the group
page of 2.3.0 which includes membership. For non-wheel users between 1.6.3
and 2.3.0, there are remarkable differences in response time, but these have
all been mentioned above as being specific to privilege checking in the new
UI. What is notable is that there were not significant differences in
response times between wheel and non-wheel users in 1.6.3, whereas now there
are.
A zip file of the JMeter test plan is attached, which includes sample data
that works against the QuickStart demo application, and shell scripts to run
the test in headless mode.
-Chad
- [grouper-users] Load testing the Grouper UI with JMeter, Redman, Chad Eric, 01/19/2017
- [grouper-users] RE: Load testing the Grouper UI with JMeter, Hyzer, Chris, 01/19/2017
- [grouper-users] RE: Load testing the Grouper UI with JMeter, Redman, Chad Eric, 01/19/2017
- [grouper-users] RE: Load testing the Grouper UI with JMeter, Hyzer, Chris, 01/19/2017
Archive powered by MHonArc 2.6.19.