[Date Prev][Date Next]
Re: ACL performance again
At 08:08 AM 2002-01-04, Stephan Siano wrote:
>I encountered performance problems with rather complex (group based) ACLs in
>conjunction with large objects (approximately 120 attributes per object).
>The server returned only 6.5 objects per second for complex (attribute
>dependant, group based) ACLs, about 50 objects per second for simpler
>(attribute independent, group based) ACLs and about 140 objects per second
>without any ACL (defaultaccess read).
>Looking into the code (and switching on acl debugging) it showed that the
>wohle ACL is parsed and evaluated once for each attribute and once for each
>value (that means twice for a single-valued attribute).
>Why is it necessary to evaluate the ACLs for each value?
Because OpenLDAP ACM has attribute value granularity.
>I modified the access_allowed function to support a simple ACL cache on
>per-object basis. All attributes are stored in a list together with the
>matching ACL, the status and the access mask. If the attribute is not in the
>cache, the acl is evaluated by acl_get as usual and then a lookup in the
>cache is done whether a different attribute has the same single access
>control (if more than one access control matches to the attribute it is not
>considered in this way) and the mask and status for the other attribute are
This doesn't work if one has a value specific ACLs.
>This way I managed to increase the performance by about 50%-100% for the ACL
>cases (about 10 objects/s with complex ACLs, about 100 Objects/s with simpler
>ACLs and about 140 Objects/s without ACLs).
>Is this a way to go, or did I overlook some problems?
Value specific ACLs.
>Some time ago someone posted an article about caching group membership for
>connections. Has something evolved from that?