[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Shell backend, modify method, ACL

On Wed, 20 Jun 2001, Kurt D. Zeilenga wrote:

> Yes, to properly evaluate ACLs, one needs a complete copy of
> entry.

In the general case this is true; however when access rules do not refer
to a value in the object being operated on, the access check can be
evaluated purely based on the operation being performed.

This situation applies to a lot of extremely common cases, and could be
the basis of some pretty nice wins in ACL speed, especially for searches
(a lot of work can be moved out of the filter_entry loop). Even if a
rule does depend on values inside the object, it may well be possible to
handle the cases where that rule applies separately from the others,
especially if the rule involves an attribute that's appropriately indexed.

Are a lot of people running servers with very complex rule-sets? Does
anybody have any examples of big production rule sets?