[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL performance again

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ACL performance again
From: Stephan Siano <stephan.siano@suse.de>
Date: Mon, 7 Jan 2002 09:25:09 +0100
Cc: "openldap-devel" <openldap-devel@OpenLDAP.org>
In-reply-to: <5.1.0.14.0.20020104103313.017242e0@127.0.0.1>
References: <5.1.0.14.0.20020104083410.0174eb40@127.0.0.1> <20020104160842.738EBF900@susefra1.fra.suse.de> <5.1.0.14.0.20020104103313.017242e0@127.0.0.1>

On Friday, 4. January 2002 19:40, Kurt D. Zeilenga wrote:
> At 08:57 AM 2002-01-04, Kurt D. Zeilenga wrote:
> >I should clarify:   For the most part OpenLDAP ACM granularity
> >is attribute level.  But, due to certain directives, the
> >granularity must be treated as if it where value granularity.
> >If these directives are not in use, then the granularity is
> >attribute level.
>
> In looking at the code, there is normally a call to
> access_allow() for the target without any values followed
> by one call to access_allow for the target with each value.
>
> One could pass out a from the first call the pointer to the
> first ACL which is value specific.  If this pointer was
> NULL, then the access_allow() result for the target without
> any values would be applied to targets regardless of the
> value.  If non-NULL, the pointer would be provided on the
> each per value call and used to jump start processing.

Good idea. Actually the only ACLs which are value dependant are 
access to ... by dnattr=... self... clauses (b->a_dn_at and b->a_dn_self are 
not NULL for one of the items in the acl_access list of the access control) 
and those containing ACIs. Both conditions could be evaluated in aclparse.c.

The code concerning ACIs has the following comment, so it might be a matter 
of discussion whether value dependant ACIs are necessary or not if they hurt 
performance too much.
/* this is experimental code that implements a
 * simple (prefix) match of the attribute value.
 * the ACI draft does not provide for aci's that
 * apply to specific values, but it would be
 * nice to have.  If the <attr> part of an aci's
 * rights list is of the form <attr>=<value>,
 * that means the aci applies only to attrs with
 * the given value.  Furthermore, if the attr is
 * of the form <attr>=<value>*, then <value> is
 * treated as a prefix, and the aci applies to 
 * any value with that prefix.
 *
 * Ideally, this would allow r.e. matches.
 */

In the same run, one could also store the result for the value independent 
access control. This might be reused later for other attributes which use the 
same access control.

Yours
Stephan Siano

-- 
Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn

Follow-Ups:
- Re: ACL performance again
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: ACL performance again
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: ACL performance again
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- ACL performance again
  - From: Stephan Siano <stephan.siano@suse.de>
- Re: ACL performance again
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ACL performance again
Next by Date: possible small bug in acl.c
Index(es):
- Chronological
- Thread