Re: ACL performance again

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 08:08 AM 2002-01-04, Stephan Siano wrote:
>I encountered performance problems with rather complex (group based) ACLs in 
>conjunction with large objects (approximately 120 attributes per object).
>
>The server returned only 6.5 objects per second for complex (attribute 
>dependant, group based) ACLs, about 50 objects per second for simpler 
>(attribute independent, group based) ACLs and about 140 objects per second 
>without any ACL (defaultaccess read).
>
>Looking into the code (and switching on acl debugging) it showed that the 
>wohle ACL is parsed and evaluated once for each attribute and once for each 
>value (that means twice for a single-valued attribute).
>
>Why is it necessary to evaluate the ACLs for each value?

Because OpenLDAP ACM has attribute value granularity.

>I modified the access_allowed function to support a simple ACL cache on 
>per-object basis. All attributes are stored in a list together with the 
>matching ACL, the status and the access mask. If the attribute is not in the 
>cache, the acl is evaluated by acl_get as usual and then a lookup in the 
>cache is done whether a different attribute has the same single access 
>control (if more than one access control matches to the attribute it is not 
>considered in this way) and the mask and status for the other attribute are 
>copied.

This doesn't work if one has a value specific ACLs.

>This way I managed to increase the performance by about 50%-100% for the ACL 
>cases (about 10 objects/s with complex ACLs, about 100 Objects/s with simpler 
>ACLs and about 140 Objects/s without ACLs).
>
>Is this a way to go, or did I overlook some problems?

Value specific ACLs.

>Some time ago someone posted an article about caching group membership for 
>connections. Has something evolved from that?

Kurt