[Date Prev][Date Next]
Re: ACL Performance (caching on object basis) (ITS#1523)
On Monday, 28. January 2002 01:41, Howard Chu wrote:
> In reviewing these patches, it looks like acl_check_modlist ought to be
> checking for any value-dependent ACLs as well, but currently isn't. Yes?
Well, I wasn't sure about side effects so I left it alone. The NULL parameter
means that evaluation of ACL does begins from the start, not from a value
dependant ACL, so the only effect is a reduced write performance.
However, looking into the code, it shouldn't be difficult to introduce this
here, too, of the patch should be accepted.
> Also, since the caching is only performed on a per-entry basis, the entire
> ACLCache structure looks unnecessary.
Do you mean the whole idea is unnecessary or do you think the data structure
I think the idea to evaluate one ACL only once for an entry does make sense.
In normal LDAP setups you will only have a handful of ACLs matching for one
entry, however in the current setup the ACLs are evaluated for each attribute
and each value in the entry. With the pointer to the first value dependant
attribute you can reduce this to one ACL evaluation per attribute (in the
case of value independant ACLs), but that will generally still mean that you
evaluate the same ACL several times. Imagine an entry with 20 attributes, 30
values and five matching ACLs. Without any patch, the slapd will have to
evaluate 50 ACLs with the pinter to the first value independant ACL 20 and
with the complete patch only 5.
I stored the information about evaluated ACLs in the ACLCache structure since
it seemed to me the way to do this, but if you have a better idea about
storing this information, feel free to tell it.
Maybe calling that ACL cache isn't really proper, but I didn't find a better
name. I also thought about implementing a real, longer lived ACL cache, but
that needed to store information about the validity context of the cached
ACLs and storing and evaluating this data seemed to me as expensive as
evaluation the ACLs themselves.
> It also seems to me that nothing is
> gained from making the ACLCacheEntry a doubly linked list, a single link
> would be enough since the list is only traversed in one direction.
You are right about this. If the whole idea seems acceptable, I will rework
Stephan Siano Mail: Stephan.Siano@suse.de
SuSE Linux Solutions AG Phone: 06196 50951 31
Mergenthalerallee 45-47 Fax: 06196 409607