[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SLAPD: Should access checks take place before filter matching?
During the course of testing some other stuff I noticed that several
functions in filter_entry check acl info before they test to see if the
filter matches.
If there are large number of candidates being passed into the filter,
they'll all be access checked, even if only a few of them are actual
matches. This makes searches much slower than they need to be, especially
if the search involves a non-indexed field if any acls are defined. For
example, a substring search on a field with no substring index, with about
12,000 entries and about 5 matches took 27 seconds with a single acl entry
defined, but only 6 seconds with no acl set.
The obvious fix is to only perform the acl_check if the filter matches.
Doing this for basic searches is trivial; move the test within the
function, or move the test into a wrapper function that runs the filter and
then does the check (safer for functions that can return from multiple
places) Handling or/and is slightly more work - need to walk the
expression tree a second time doing the access checks, but it's still
pretty trivial.
can anyone think of any reason why this would be a bad idea?
Now that I've got my working copy synced to HEAD and reapplyed the
kerberos_v4 sasl patches by hand, I'll make the changes to filter_entry.c
and see how well they work.
Simon
p.s.
It definitely seems that the access control code could benefit from some
performance tuning; has anyone been working on this?