[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL Performance (caching on object basis) (ITS#1523)
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> At 04:41 PM 2002-01-27, Howard Chu wrote:
> >In reviewing these patches, it looks like acl_check_modlist ought to be
> >checking for any value-dependent ACLs as well, but currently isn't. Yes?
>
> acl_check_modlist() does make value-dependent ACL checks.
Yes, what I meant is this - the patch provides an arg to access_allowed that
can store the address of the first value-dependent ACL. But in
acl_check_modlist, this pointer is not used. Apparently it should be taken
advantage of in this case.
> >Also, since the caching is only performed on a per-entry basis, the entire
> >ACLCache structure looks unnecessary. It also seems to me that nothing is
> >gained from making the ACLCacheEntry a doubly linked list, a single
> link would
> >be enough since the list is only traversed in one direction.
>
> ACLCache? ITS#1523?
>
> I think I prefer a stateless solution per:
> http://www.openldap.org/lists/openldap-devel/200201/msg00015.html
ITS #1523 does provide this pointer in addition to a cache of results of
evaluating each ACL. The cache is maintained for a single operation on a single
entry and then discarded. As Stephan's emails indicate, its primary benefit is
when checking ACLs on an entry with a large number of attributes and/or a large
number of values.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support