Allow the dataset to generate users with a limited number of unique passwords

ryanemerson · ahus1 · web-flow · commit f3110586836d · 2025-11-28T10:47:53.000+01:00
Closes #1237 Signed-off-by: Ryan Emerson <remerson@ibm.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
diff --git a/.github/actions/keycloak-create-dataset/action.yml b/.github/actions/keycloak-create-dataset/action.yml
@@ -26,6 +26,9 @@ inputs:
   maxWaitEntityCreation:
     description: 'Maximum number of seconds to wait for creation of entities'
     default: '300'
+  uniqueCredentials:
+    description: 'Limits the total number of credentials created to the specified amount in order to speed up dataset initialisation'
+    default: '-1'
 
 runs:
   using: "composite"
@@ -39,7 +42,7 @@ runs:
       shell: bash
       run: |
         ./dataset-import.sh -a clear-status-completed -l ${{ env.KEYCLOAK_URL }}/realms/master/dataset
-        ./dataset-import.sh -a create-realms -r ${{ inputs.realms }} -c ${{ inputs.clients }} -u ${{ inputs.users }} -l ${{ env.KEYCLOAK_URL }}/realms/master/dataset -C ${{ inputs.maxWaitEntityCreation }}
+        ./dataset-import.sh -a create-realms -r ${{ inputs.realms }} -c ${{ inputs.clients }} -u ${{ inputs.users }} -U ${{ inputs.uniqueCredentials }} -l ${{ env.KEYCLOAK_URL }}/realms/master/dataset -C ${{ inputs.maxWaitEntityCreation }}
         ./dataset-import.sh -a status-completed -t ${{ inputs.maxWaitEntityCreation }} -l ${{ env.KEYCLOAK_URL }}/realms/master/dataset
       working-directory: dataset
 
diff --git a/.github/workflows/keycloak-create-dataset.yml b/.github/workflows/keycloak-create-dataset.yml
@@ -26,6 +26,10 @@ on:
         description: 'Maximum number of seconds to wait for creation of entities'
         type: string
         default: '300'
+      uniqueCredentials:
+        description: 'Limits the total number of credentials created to the specified amount in order to speed up dataset initialisation'
+        type: string
+        default: '-1'
 
 jobs:
   prepare:
@@ -56,3 +60,4 @@ jobs:
           users: ${{ inputs.users }}
           clients: ${{ inputs.clients }}
           maxWaitEntityCreation: ${{ inputs.maxWaitEntityCreation }}
+          uniqueCredentials: ${{ inputs.uniqueCredentials }}
diff --git a/benchmark/src/main/java/org/keycloak/benchmark/Config.java b/benchmark/src/main/java/org/keycloak/benchmark/Config.java
@@ -101,6 +101,12 @@ public class Config {
      */
     public static final String basicUrl = System.getProperty("basic-url");
 
+    /**
+     * Used to correctly configure user passwords when users have been created via the dataset using the `unique-credential-count` option.
+     * In order for the password to be calculated correctly, this value should match the value used when creating the dataset.
+     */
+    public static final int uniqueCredentialCount = Integer.getInteger("unique-credential-count", -1);
+
     public static final Double usersPerSec;
 
     public static final Integer concurrentUsers;
diff --git a/benchmark/src/main/scala/keycloak/scenario/KeycloakScenarioBuilder.scala b/benchmark/src/main/scala/keycloak/scenario/KeycloakScenarioBuilder.scala
@@ -59,23 +59,26 @@ class KeycloakScenarioBuilder {
     val serverUrl = Config.serverUrisList.iterator().next()
     val realmIndex = String.valueOf(Random.nextInt(Config.numOfRealms))
     val clientIndex = String.valueOf(Random.nextInt(Config.numClientsPerRealm))
-    val userIndex = String.valueOf(Random.nextInt(Config.numUsersPerRealm) + Config.userIndexOffset)
+    val userIndex = Random.nextInt(Config.numUsersPerRealm) + Config.userIndexOffset
+    var userIndexStr = String.valueOf(userIndex)
     var realmName = Config.realmPrefix.concat(realmIndex)
 
     if (Config.realmName != null) {
       realmName = Config.realmName
     }
 
-    var userName = Config.userNamePrefix.concat(userIndex)
+    var userName = Config.userNamePrefix.concat(userIndexStr)
 
     if (Config.userName != null) {
       userName = Config.userName
     }
 
-    var userPassword = Config.userPasswordPrefix.concat(userIndex).concat(Config.userPasswordSuffix)
-
-    if (Config.userPassword != null) {
-      userPassword = Config.userPassword
+    var userPassword = if (Config.userPassword != null) {
+      Config.userPassword
+    } else if (Config.uniqueCredentialCount > 0) {
+      s"password-${userIndex % Config.uniqueCredentialCount}"
+    } else {
+      Config.userPasswordPrefix.concat(userIndexStr).concat(Config.userPasswordSuffix)
     }
 
     var redirectUri = serverUrl.stripSuffix("/").concat("/realms/").concat(realmName).concat("/account")
diff --git a/dataset/dataset-import.sh b/dataset/dataset-import.sh
@@ -24,8 +24,9 @@ set_environment_variables () {
   STATUS_TIMEOUT="120"
   CREATE_TIMEOUT="3600"
   THREADS="-1"
+  UNIQUE_CREDENTIALS="-1"
 
-  while getopts ":a:r:n:c:u:e:o:g:i:p:l:t:C:T:" OPT
+  while getopts ":a:r:n:c:u:e:o:g:i:p:l:t:C:T:U:" OPT
   do
     case $OPT in
       a)
@@ -70,6 +71,9 @@ set_environment_variables () {
       T)
         THREADS=$OPTARG
         ;;
+      U)
+        UNIQUE_CREDENTIALS=$OPTARG
+        ;;
       ?)
         echo "Invalid option: $OPT, read the usage carefully -> "
         help
@@ -85,7 +89,7 @@ create_clients () {
 
 create_users () {
   echo "Creating $1 user/s in realm $2"
-  execute_command "create-users?count=$1&realm-name=$2"
+  execute_command "create-users?count=$1&realm-name=$2&unique-credential-count=$3"
 }
 
 create_events () {
@@ -193,15 +197,15 @@ main () {
       if [ -z "$HASH_ALGORITHM" ];  then HA_PARAM=""; HASH_ALGORITHM="default";  else HA_PARAM="&password-hash-algorithm=$HASH_ALGORITHM"; fi
       if [ -z "$HASH_ITERATIONS" ]; then HI_PARAM=""; HASH_ITERATIONS="default"; else HI_PARAM="&password-hash-iterations=$HASH_ITERATIONS"; fi
       echo "Creating $REALM_COUNT realms with $CLIENTS_COUNT clients and $USERS_COUNT users with $HASH_ITERATIONS password-hashing iterations using the $HASH_ALGORITHM algorithm."
-      execute_command "create-realms?count=$REALM_COUNT&clients-per-realm=$CLIENTS_COUNT&users-per-realm=$USERS_COUNT$HI_PARAM$HA_PARAM"
+      execute_command "create-realms?count=$REALM_COUNT&clients-per-realm=$CLIENTS_COUNT&users-per-realm=$USERS_COUNT&unique-credential-count=$UNIQUE_CREDENTIALS$HI_PARAM$HA_PARAM"
       exit 0
       ;;
     create-clients)
       create_clients $CLIENTS_COUNT $REALM_NAME $CREATE_TIMEOUT $THREADS
       exit 0
       ;;
     create-users)
-      create_users $USERS_COUNT $REALM_NAME
+      create_users $USERS_COUNT $REALM_NAME $UNIQUE_CREDENTIALS
       exit 0
       ;;
     create-events)
diff --git a/dataset/src/main/java/org/keycloak/benchmark/dataset/DatasetResourceProvider.java b/dataset/src/main/java/org/keycloak/benchmark/dataset/DatasetResourceProvider.java
@@ -33,6 +33,7 @@
 import org.keycloak.benchmark.dataset.config.DatasetException;
 import org.keycloak.benchmark.dataset.organization.OrganizationProvisioner;
 import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.credential.hash.PasswordHashProvider;
 import org.keycloak.events.Event;
 import org.keycloak.events.EventStoreProvider;
 import org.keycloak.events.EventType;
@@ -52,6 +53,7 @@
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.models.cache.CacheRealmProvider;
+import org.keycloak.models.credential.PasswordCredentialModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
@@ -65,12 +67,15 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Random;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
+import java.util.stream.IntStream;
 
 import static org.keycloak.benchmark.dataset.config.DatasetOperation.CREATE_CLIENTS;
 import static org.keycloak.benchmark.dataset.config.DatasetOperation.CREATE_EVENTS;
@@ -435,6 +440,8 @@ private void createUsersImpl(Task task, DatasetConfig config, RealmModel realm)
     }
 
     private void addUserCreationTasks(RealmContext context, Task task, DatasetConfig config, ExecutorHelper executor, int startIndex, int usersCount) {
+        // Initialize password credentials if unique-credentials-count is configured
+        List<PasswordCredentialModel> credentials = initializeCredentials(config, usersCount, context);
 
         for (int i = startIndex; i < (startIndex + usersCount); i += config.getUsersPerTransaction()) {
             final int usersStartIndex = i;
@@ -446,7 +453,7 @@ private void addUserCreationTasks(RealmContext context, Task task, DatasetConfig
             executor.addTaskRunningInTransaction(session -> {
                 KeycloakModelUtils.cloneContextRealmClientToSession(baseSession.getContext(), session);
 
-                createUsers(context, session, usersStartIndex, endIndex);
+                createUsers(context, session, usersStartIndex, endIndex, credentials);
 
                 task.debug(logger, "Created users in realm %s from %d to %d", context.getRealm().getName(), usersStartIndex, endIndex);
 
@@ -457,6 +464,24 @@ private void addUserCreationTasks(RealmContext context, Task task, DatasetConfig
         }
     }
 
+    private List<PasswordCredentialModel> initializeCredentials(DatasetConfig config, int usersCount, RealmContext context) {
+        var map = IntStream.range(0, Math.min(usersCount, config.getUniqueCredentialCount()))
+              .parallel()
+              .mapToObj(i -> KeycloakModelUtils.runJobInTransactionWithResult(baseSession.getKeycloakSessionFactory(), session -> {
+                  KeycloakModelUtils.cloneContextRealmClientToSession(baseSession.getContext(), session);
+                  PasswordPolicy policy = context.getRealm().getPasswordPolicy();
+                  PasswordHashProvider hash = policy.getHashAlgorithm() != null ?
+                        baseSession.getProvider(PasswordHashProvider.class, policy.getHashAlgorithm()) :
+                        baseSession.getProvider(PasswordHashProvider.class);
+                  return Map.entry(i, hash.encodedCredential("password-" + i, policy.getHashIterations()));
+              }))
+              .collect(Collectors.toConcurrentMap(Map.Entry::getKey, Map.Entry::getValue));
+
+        return map.entrySet().stream()
+              .sorted(Comparator.comparingInt(Map.Entry::getKey))
+              .map(Map.Entry::getValue)
+              .toList();
+    }
 
     @GET
     @Path("/create-events")
@@ -1130,7 +1155,7 @@ private void createClients(RealmContext context, Task task, KeycloakSession sess
     }
 
     // Worker task to be triggered by single executor thread
-    private void createUsers(RealmContext context, KeycloakSession session, int startIndex, int endIndex) {
+    private void createUsers(RealmContext context, KeycloakSession session, int startIndex, int endIndex, List<PasswordCredentialModel> credentials) {
         // Refresh the realm
         RealmModel realm = session.realms().getRealm(context.getRealm().getId());
         DatasetConfig config = context.getConfig();
@@ -1147,8 +1172,13 @@ private void createUsers(RealmContext context, KeycloakSession session, int star
             user.setLastName(username + "-last");
             user.setEmail(username + String.format("@%s.com", realm.getName()));
 
-            String password = String.format("%s-password", username);
-            user.credentialManager().updateCredential(UserCredentialModel.password(password, false));
+            if (credentials.isEmpty()) {
+                String password = String.format("%s-password", username);
+                user.credentialManager().updateCredential(UserCredentialModel.password(password, false));
+            } else {
+                PasswordCredentialModel password = credentials.get(i % config.getUniqueCredentialCount());
+                user.credentialManager().createStoredCredential(password);
+            }
 
             // Assign a role to a user if any exist in the realm
             if (!context.getRealmRoles().isEmpty()) {
diff --git a/dataset/src/main/java/org/keycloak/benchmark/dataset/config/DatasetConfig.java b/dataset/src/main/java/org/keycloak/benchmark/dataset/config/DatasetConfig.java
@@ -226,6 +226,9 @@ public class DatasetConfig {
     @QueryParamIntFill(paramName = "identity-provider-mappers-count", operations = CREATE_ORGS)
     private int identityProviderMappersCount;
 
+    @QueryParamIntFill(paramName = "unique-credential-count", defaultValue = 0, operations =  {CREATE_REALMS, CREATE_USERS})
+    private int uniqueCredentialCount;
+
     // String representation of this configuration (cached here to not be computed in runtime)
     private String toString = "DatasetConfig []";
 
@@ -432,4 +435,8 @@ public int getIdentityProvidersCount() {
     public int getIdentityProviderMappersCount() {
         return identityProviderMappersCount;
     }
+
+    public int getUniqueCredentialCount() {
+        return uniqueCredentialCount;
+    }
 }
diff --git a/doc/dataset/modules/ROOT/pages/using-provider.adoc b/doc/dataset/modules/ROOT/pages/using-provider.adoc
@@ -68,15 +68,17 @@ To learn more about the tool, see xref:kubernetes-guide::util/task.adoc[] for de
 
 You need to call this HTTP REST requests.
 This request is useful for create 10 realms.
-Each realm will contain specified amount of roles, clients, groups and users:
+Each realm will contain a set of roles, clients, groups and users:
 
 ----
 .../realms/master/dataset/create-realms?count=10
 ----
 
 === Create many clients
 
-This is request to create 100 new clients in the realm `realm-5` . Each client will have service account enabled and secret like «client_id»-secret (For example `client-156-secret` in case of the client `client-156`):
+This is a request to create 200 new clients in the realm `realm-5`.
+
+Each client will have service account enabled and secret like `<client_id>-secret` (For example `client-156-secret` in the case of the client `client-156`):
 
 ----
 .../realms/master/dataset/create-clients?count=200&realm-name=realm-5
@@ -90,15 +92,35 @@ You can also configure the access-type (`bearer-only`, `confidential` or `public
 
 === Create many users
 
-This is request to create 500 new users in the `realm-5`.
-Each user will have specified amount of roles, client roles and groups, which were already created by `create-realms` endpoint.
-Each user will have password like «Username»-password . For example `user-156` will have password like
-`user-156-password` :
+This is a request to create 1000 new users in the realm `realm-5`:
 
 ----
 .../realms/master/dataset/create-users?count=1000&realm-name=realm-5
 ----
 
+Each user will have the specified amount of roles, client roles and groups, which were already created by the `create-realms` endpoint.
+
+Each user will be assigned a password in the format `<username>-password`. For example `user-156` will have the password `user-156-password`.
+
+=== Speed up user creation by limiting the total number of passwords
+
+When creating users, the bottleneck is CPU time to hash the passwords that are by default unique for each user.
+
+To reduce total time to create a large number of users, configure the dataset to only create a limited
+pool of hashed passwords and reuse these credentials when creating users. Specify the `unique-credential-count` parameter
+in order to limit the number of passwords created.
+
+When limiting the total number of passwords, individual passwords for a given user are calculated as `"password-" + i`
+where `i` is the user's number % `unique-credential-count`.
+
+For example, after executing:
+
+----
+.../realms/master/dataset/create-users?realm-name=realm-0&count=1000&unique-credential-count=10`
+----
+
+the user `user-156` will have the password `password-6` as we calculate `i = 156 % 10`.
+
 === Create many groups
 
 Groups are created as part of the realm creation.
@@ -115,7 +137,7 @@ With groups-with-hierarchy set to `true` a tree structure of groups is created;
 The default value is 3. With the default value, top level groups will have `groups-count-each-level` subgroups and each subgroup will have `groups-count-each-level` themselves.
 This parameter is active only when `groups-with-hierarchy` is `true`.
 
-`groups-count-each-level`:: Number of subgroups each created group will have.
+`groups-count-each-level`:: The Number of subgroups each created group will have.
 This parameter is active only when `groups-with-hierarchy` is `true`.
 
 With the default values, only top-level groups are created.
@@ -137,7 +159,7 @@ You can also create groups in an existing realm by invoking the `create-groups`
 
 === Create many events
 
-This is request to create 10M new events in the available realms with prefix `realm-`.
+This is a request to create 10M new events in the available realms with prefix `realm-`.
 For example if we have 100 realms like `realm-0`, `realm-1`, ... `realm-99`, it will create 10M events randomly in them
 
 ----
@@ -146,7 +168,7 @@ For example if we have 100 realms like `realm-0`, `realm-1`, ... `realm-99`, it
 
 === Create many offline sessions
 
-This is request to create 10M new offline sessions in the available realms with prefix `realm-`.
+This is a request to create 10M new offline sessions in the available realms with prefix `realm-`.
 For example if we have 100 realms like `realm-0`, `realm-1`, … `realm-99`, it will create 10M events randomly in them
 
 ----
@@ -178,7 +200,7 @@ For example to create realms with prefix `foo` and with just 1000 hash iteration
 .../realms/master/dataset/create-realms?count=10&realm-prefix=foo&password-hash-iterations=1000
 ----
 
-Another example would be, to specify a particular hashing algorithm in combination with the hashing iterations with the below parameters:
+Another example would be to specify a particular hashing algorithm in combination with the hashing iterations with the below parameters:
 
 ----
 .../realms/master/dataset/create-realms?count=10&realm-prefix=foo&password-hash-algorithm=argon2&password-hash-iterations=1000
@@ -187,7 +209,7 @@ Another example would be, to specify a particular hashing algorithm in combinati
 The configuration is written to the server log when HTTP endpoint is triggered, so you can monitor the progress and what parameters were effectively applied.
 
 Note that creation of new objects will automatically start from the next available index.
-For example when you trigger endpoint above for creation many clients and you already had 230 clients in your DB (`client-0`, `client-1`, .. `client-229`), then your HTTP request will start creating clients from `client-230` .
+For example when you trigger endpoint above for creation many clients, and you already had 230 clients in your DB (`client-0`, `client-1`, ... `client-229`), then your HTTP request will start creating clients from `client-230` .
 
 === Check if the task is still running
 
@@ -280,7 +302,7 @@ Alternatively, you can create a single organization with a given name:
 realms/realm-0/dataset/orgs/create?name=myorg.com&domains=myorg.com,myorg.org,myorg.net&count=1
 ----
 
-You can also specify how many members (managed and unmanaged) and how many identity providers should be
+You can also specify how many managed and unmanaged members and how many identity providers should be
 linked to each organization created:
 
 ----
@@ -292,13 +314,13 @@ As a result, 1k organizations with the following configuration:
 * 500 unmanaged members
 * 10 identity providers
 
-It is also possible te specify a number of identity provider mappers per each identity provider:
+It is also possible to specify a number of identity provider mappers per each identity provider:
 
 ----
 .../realms/realm-0/dataset/orgs/create?count=1000&unmanaged-members-count=500&identity-providers-count=10&identity-provider-mappers-count=3
 ----
 
-In this case 1k organizations with each having 500 unmanaged members, 10 identity providers and each identity provider having 3 identity provider mnappers
+This creates 1k organizations with 500 unmanaged members each, 10 identity providers and with identity provider having 3 identity provider mappers.
 
 You can also provision data to a specific organization. For instance, to provision
 more identity providers to a specific organization:
@@ -307,7 +329,7 @@ more identity providers to a specific organization:
 .../realms/realm-0/dataset/orgs/org-0/identity-providers/create?count=1000
 ----
 
-Optionally it's possible to specify a number of identity provider mappers per each identity provider
+Optionally, it's possible to specify a number of identity provider mappers per each identity provider
 
 ----
 .../realms/realm-0/dataset/orgs/org-0/identity-providers/create?count=1000&identity-provider-mappers-count=5
@@ -325,7 +347,7 @@ Or to provision more managed members to a specific organization:
 .../realms/realm-0/dataset/orgs/org-0/members/create-managed?count=100
 ----
 
-When provisioning members make sure you have created enough users in the realm. For managed members, you also need at least
+When provisioning members, make sure you have created enough users in the realm. For managed members, you also need at least
 a single identity provider linked to an organization.
 
 If you want to remove an organization:
