[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL Performance (caching on object basis) (ITS#1523)

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> At 04:41 PM 2002-01-27, Howard Chu wrote:
> >In reviewing these patches, it looks like acl_check_modlist ought to be
> >checking for any value-dependent ACLs as well, but currently isn't. Yes?
> acl_check_modlist() does make value-dependent ACL checks.

Yes, what I meant is this - the patch provides an arg to access_allowed that
can store the address of the first value-dependent ACL. But in
acl_check_modlist, this pointer is not used. Apparently it should be taken
advantage of in this case.

> >Also, since the caching is only performed on a per-entry basis, the entire
> >ACLCache structure looks unnecessary. It also seems to me that nothing is
> >gained from making the ACLCacheEntry a doubly linked list, a single
> link would
> >be enough since the list is only traversed in one direction.
> ACLCache?  ITS#1523?
> I think I prefer a stateless solution per:
>   http://www.openldap.org/lists/openldap-devel/200201/msg00015.html

ITS #1523 does provide this pointer in addition to a cache of results of
evaluating each ACL. The cache is maintained for a single operation on a single
entry and then discarded. As Stephan's emails indicate, its primary benefit is
when checking ACLs on an entry with a large number of attributes and/or a large
number of values.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support