Hi Folks,

Here are some more findings from the ongoing OpenAM performance
testing. I've managed to define 141K policies in our test setup (5GB
of RAM allocated to OpenDJ and 1.5 GB to Tomcat). This has resulted in
unacceptable query latencies (in the order of minutes) and wrong
policy evaluations (e.g. queries return false instead of true for a
given subject-resource-action triple that is supposed to allow the
action). I've now decided to delete the policies that have been
defined over the night and discovered that this is close to
impossible. Getting the list of these policies required 56 minutes
(this can be probably remedied with improvements in Policy service
code). However the real show stopper is that deleting a single policy
out of those 141K requires several minutes (and the latency is
growing).

In essence, it looks like OpenSSO (OpenAM) and OpenDS (OpenDJ) haven't
been designed to support more than a few thousands policies. I don't
know how much effort would be required for fixing this in order to
allow the services to scale up with the number of policies. It might
be wise to start looking for alternatives...

Kind regards,
Vedrin