[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL performance again


I encountered performance problems with rather complex (group based) ACLs in 
conjunction with large objects (approximately 120 attributes per object).

The server returned only 6.5 objects per second for complex (attribute 
dependant, group based) ACLs, about 50 objects per second for simpler 
(attribute independent, group based) ACLs and about 140 objects per second 
without any ACL (defaultaccess read).

Looking into the code (and switching on acl debugging) it showed that the 
wohle ACL is parsed and evaluated once for each attribute and once for each 
value (that means twice for a single-valued attribute).

Why is it necessary to evaluate the ACLs for each value?

I modified the access_allowed function to support a simple ACL cache on 
per-object basis. All attributes are stored in a list together with the 
matching ACL, the status and the access mask. If the attribute is not in the 
cache, the acl is evaluated by acl_get as usual and then a lookup in the 
cache is done whether a different attribute has the same single access 
control (if more than one access control matches to the attribute it is not 
considered in this way) and the mask and status for the other attribute are 

This way I managed to increase the performance by about 50%-100% for the ACL 
cases (about 10 objects/s with complex ACLs, about 100 Objects/s with simpler 
ACLs and about 140 Objects/s without ACLs).

Is this a way to go, or did I overlook some problems?

Some time ago someone posted an article about caching group membership for 
connections. Has something evolved from that?

Stephan Siano

Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn