[kforge-dev] access control role authorisation sequence
Rufus Pollock
rufus.pollock at okfn.org
Sun Aug 27 12:40:00 UTC 2006
John Bywater wrote:
> Just to say that I've really speeded up the access controller, and hence
> the KForge and CKAN systems, by reversing the previous
> isRoleAuthorised() method, which checks if a role has been granted a
> permission (to take an action with an object).
Great work John. Any idea on how much speedup? Maybe we could use the
profiler ...
> In summary, I replaced "for" loops and lists of object, with "if"
> statements and dictionary-type look ups. This stablises the number of
> operations and creates a much more direct style.
[snip]
> Anyway, this method is super fast, requiring a small and fixed number of
> database queries for a given access controller.
>
> In detail, we find the action object (0, or 1 if not cached), find the
> protection object (1, or sometimes 2), retrieve the required permission
> (1), and then look up a grant on the role of the permission (oncee more
> for each role involved by the access controller: session person system
> role, visitor person system role, project membership role, visitor
> project membership role -- missing?, personal role; total 4).
>
> So on average we should just need 6 look ups per authorisation request
> for a controller involving 4 roles. This compares to the previous
> routine, which I expect retrieved half the population of protection
> objects on average, asking them each in turn if they protected the
> protected object. It was taking a while :-).
Great work. Given the number of protection objects this should result in
some very dramatic speed improvements. As I said above might be useful
(if we have the time) to actually profile this bit of code and see if we
can get some before and after data as well as more info on where the
performance bottlenecks are.
> I'm not sure if I've broken something as a result of changing all this
> round, but I am very pleased that this piece seems now to have fallen
> into place. KForge is performing very snappily now. :-)
>
> Regards,
>
> John.
>
> PS Indeed, a few more of the tests aren't passing now. I suspect some of
> the tests need improving, but I didn't do anything about it yet. We need
> to get all the tests passing again as an urgent next step. But I won't
> be able to do anything about them for a few days now. I'm sure nothing
> major has broken, but I think some of the tests aren't any longer doing
> the right things to the objects that are testing. Let's pull this back
> in and together asap.
After writing this you seem to have fixed most of the failing tests :)
However from the latest run of the automated builder I see there are
still a few issues. I'll look into this and see if I can fix any
remaining problems.
Regards,
Rufus
More information about the kforge-dev
mailing list