SLAPD: Should access checks take place before filter matching?

[Simon Spero <ses@tipper.oit.unc.edu>]

During the course of testing some other stuff I noticed that several 
functions in filter_entry check acl info before they test to see if the 
filter matches.

If there are large number of candidates being passed into the filter, 
they'll all be access checked, even if only a few of them are actual 
matches.  This makes searches much slower than they need to be, especially 
if the search involves a non-indexed field if any acls are defined. For 
example, a substring search on a field with no substring index, with about 
12,000 entries and about 5 matches took 27 seconds with a single acl entry 
defined, but only 6 seconds with no acl set.

The obvious fix is to only perform the acl_check if the filter matches. 
Doing this for basic searches is trivial; move the test within the 
function, or move the test into a wrapper function that runs the filter and 
then does the check (safer for functions that can return from multiple 
places)  Handling or/and is slightly more work - need to walk the 
expression tree a second time doing the access checks, but it's still 
pretty trivial.


can anyone think of any reason why this would be a bad idea?

Now that I've got my working copy synced to HEAD  and reapplyed the 
kerberos_v4 sasl patches by hand, I'll make the changes to filter_entry.c 
and see how well they work.

Simon
p.s.
It definitely seems that the access control code could benefit from some 
performance tuning; has anyone been working on this?