[Date Prev][Date Next]
Re: ACL performance again
At 12:25 AM 2002-01-07, Stephan Siano wrote:
>On Friday, 4. January 2002 19:40, Kurt D. Zeilenga wrote:
>> At 08:57 AM 2002-01-04, Kurt D. Zeilenga wrote:
>> >I should clarify: For the most part OpenLDAP ACM granularity
>> >is attribute level. But, due to certain directives, the
>> >granularity must be treated as if it where value granularity.
>> >If these directives are not in use, then the granularity is
>> >attribute level.
>> In looking at the code, there is normally a call to
>> access_allow() for the target without any values followed
>> by one call to access_allow for the target with each value.
>> One could pass out a from the first call the pointer to the
>> first ACL which is value specific. If this pointer was
>> NULL, then the access_allow() result for the target without
>> any values would be applied to targets regardless of the
>> value. If non-NULL, the pointer would be provided on the
>> each per value call and used to jump start processing.
Unfornately, I don't have time to implement this. Volunteers
>Actually the only ACLs which are value dependant are
>access to ... by dnattr=... self... clauses (b->a_dn_at and b->a_dn_self are
>not NULL for one of the items in the acl_access list of the access control)
>and those containing ACIs. Both conditions could be evaluated in aclparse.c.
>The code concerning ACIs has the following comment, so it might be a matter
>of discussion whether value dependant ACIs are necessary or not if they hurt
>performance too much.
>/* this is experimental code that implements a
> * simple (prefix) match of the attribute value.
> * the ACI draft does not provide for aci's that
> * apply to specific values, but it would be
> * nice to have. If the <attr> part of an aci's
> * rights list is of the form <attr>=<value>,
> * that means the aci applies only to attrs with
> * the given value. Furthermore, if the attr is
> * of the form <attr>=<value>*, then <value> is
> * treated as a prefix, and the aci applies to
> * any value with that prefix.
> * Ideally, this would allow r.e. matches.
>In the same run, one could also store the result for the value independent
>access control. This might be reused later for other attributes which use the
>same access control.
>Stephan Siano Mail: Stephan.Siano@suse.de
>SuSE Linux Solutions AG Phone: 06196 50951 31
>Mergenthalerallee 45-47 Fax: 06196 409607