[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL performance again



At 12:25 AM 2002-01-07, Stephan Siano wrote:
>On Friday, 4. January 2002 19:40, Kurt D. Zeilenga wrote:
>> At 08:57 AM 2002-01-04, Kurt D. Zeilenga wrote:
>> >I should clarify:   For the most part OpenLDAP ACM granularity
>> >is attribute level.  But, due to certain directives, the
>> >granularity must be treated as if it where value granularity.
>> >If these directives are not in use, then the granularity is
>> >attribute level.
>>
>> In looking at the code, there is normally a call to
>> access_allow() for the target without any values followed
>> by one call to access_allow for the target with each value.
>>
>> One could pass out a from the first call the pointer to the
>> first ACL which is value specific.  If this pointer was
>> NULL, then the access_allow() result for the target without
>> any values would be applied to targets regardless of the
>> value.  If non-NULL, the pointer would be provided on the
>> each per value call and used to jump start processing.
>
>Good idea.

Unfornately, I don't have time to implement this.  Volunteers
welcomed.

>Actually the only ACLs which are value dependant are 
>access to ... by dnattr=... self... clauses (b->a_dn_at and b->a_dn_self are 
>not NULL for one of the items in the acl_access list of the access control) 
>and those containing ACIs. Both conditions could be evaluated in aclparse.c.
>
>The code concerning ACIs has the following comment, so it might be a matter 
>of discussion whether value dependant ACIs are necessary or not if they hurt 
>performance too much.
>/* this is experimental code that implements a
> * simple (prefix) match of the attribute value.
> * the ACI draft does not provide for aci's that
> * apply to specific values, but it would be
> * nice to have.  If the <attr> part of an aci's
> * rights list is of the form <attr>=<value>,
> * that means the aci applies only to attrs with
> * the given value.  Furthermore, if the attr is
> * of the form <attr>=<value>*, then <value> is
> * treated as a prefix, and the aci applies to 
> * any value with that prefix.
> *
> * Ideally, this would allow r.e. matches.
> */
>
>In the same run, one could also store the result for the value independent 
>access control. This might be reused later for other attributes which use the 
>same access control.
>
>Yours
>Stephan Siano
>
>-- 
>Stephan Siano                           Mail:  Stephan.Siano@suse.de
>SuSE Linux Solutions AG                 Phone: 06196 50951 31
>Mergenthalerallee 45-47                 Fax:   06196 409607
>D-65760 Eschborn