[Date Prev][Date Next] [Chronological] [Thread] [Top]

SLAPD: Should access checks take place before filter matching?

During the course of testing some other stuff I noticed that several functions in filter_entry check acl info before they test to see if the filter matches.

If there are large number of candidates being passed into the filter, they'll all be access checked, even if only a few of them are actual matches. This makes searches much slower than they need to be, especially if the search involves a non-indexed field if any acls are defined. For example, a substring search on a field with no substring index, with about 12,000 entries and about 5 matches took 27 seconds with a single acl entry defined, but only 6 seconds with no acl set.

The obvious fix is to only perform the acl_check if the filter matches. Doing this for basic searches is trivial; move the test within the function, or move the test into a wrapper function that runs the filter and then does the check (safer for functions that can return from multiple places) Handling or/and is slightly more work - need to walk the expression tree a second time doing the access checks, but it's still pretty trivial.

can anyone think of any reason why this would be a bad idea?

Now that I've got my working copy synced to HEAD and reapplyed the kerberos_v4 sasl patches by hand, I'll make the changes to filter_entry.c and see how well they work.

It definitely seems that the access control code could benefit from some performance tuning; has anyone been working on this?