[Date Prev][Date Next]
ACL performance again
I encountered performance problems with rather complex (group based) ACLs in
conjunction with large objects (approximately 120 attributes per object).
The server returned only 6.5 objects per second for complex (attribute
dependant, group based) ACLs, about 50 objects per second for simpler
(attribute independent, group based) ACLs and about 140 objects per second
without any ACL (defaultaccess read).
Looking into the code (and switching on acl debugging) it showed that the
wohle ACL is parsed and evaluated once for each attribute and once for each
value (that means twice for a single-valued attribute).
Why is it necessary to evaluate the ACLs for each value?
I modified the access_allowed function to support a simple ACL cache on
per-object basis. All attributes are stored in a list together with the
matching ACL, the status and the access mask. If the attribute is not in the
cache, the acl is evaluated by acl_get as usual and then a lookup in the
cache is done whether a different attribute has the same single access
control (if more than one access control matches to the attribute it is not
considered in this way) and the mask and status for the other attribute are
This way I managed to increase the performance by about 50%-100% for the ACL
cases (about 10 objects/s with complex ACLs, about 100 Objects/s with simpler
ACLs and about 140 Objects/s without ACLs).
Is this a way to go, or did I overlook some problems?
Some time ago someone posted an article about caching group membership for
connections. Has something evolved from that?
Stephan Siano Mail: Stephan.Siano@suse.de
SuSE Linux Solutions AG Phone: 06196 50951 31
Mergenthalerallee 45-47 Fax: 06196 409607