[Date Prev][Date Next] [Chronological] [Thread] [Top]

caching group ACL evaluation

To: <openldap-devel@OpenLDAP.org>
Subject: caching group ACL evaluation
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 2 Nov 2001 17:15:24 -0800
Importance: Normal
In-reply-to: <000601c16402$694ab360$7601a8c0@fiddle.symas.com>

Here's a description of the caching approach:

/*
 * Caches the result of a backend_group check for ACL evaluation
 */
typedef struct slap_gacl {
        struct slap_gacl *next;
        Backend *be;
        ObjectClass *oc;
        AttributeDescription *at;
        int res;
        int len;	/* length of ndn */
        char ndn[1];	/* ndn of group */
} GroupAssertion;

I've added a
	GroupAssertion *c_groups;
to the Connection structure.

In backend_group I simply walk this linked list looking for a match before
dropping into the existing code. If no match is found, I create a record
with the result of the be->be_group call and add it to the list. All of the
list operations are performed with conn->c_mutex locked.

As a side effect of this approach, if backend_group is called for a group,
and then the group membership is changed, the subsequent changes won't be
reflected on this connection. Is this a big problem? Obviously we could add
checks in do_delete() and do_modify() to walk through the list looking for
affected DNs if necessary.

It seems to me that caching/checking the Backend pointer is unnecessary.
It also seems that caching/checking the op_ndn should be unnecessary,
depending on the answer to my previous question.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Howard Chu
> Subject: slapd concurrency ?

> I have a question about how many operations may be executing concurrently
> over a single connection. In particular, is it possible to perform a bind
> (thus changing conn->c_dn) while other operations (like a long search) are
> still in progress? I have some code to cache the results of backend_group
> queries, and I need to know whether to include op_ndn in the cache object
> or not.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>

Follow-Ups:
- Re: caching group ACL evaluation
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- slapd concurrency ?
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: slapd concurrency ?
Next by Date: Re: slapd concurrency ?
Index(es):
- Chronological
- Thread