Details
-
Improvement
-
Resolution: Fixed
-
Minor
-
2.3.0
-
None
Description
The Trace Privileges function in the group privileges tab is performing badly for us. Tracing through the source code, I see that when the user doesn't have one of the privileges (it loops through all 8 of them individually, first as the user, then as EveryEntity), further queries are not being circumvented. Instead, the subsequent query, to ensure the UI session user can view the groups in the path, is being called with a empty list of groups. This results in the query returning every group/role in the database, then creating a set of Group objects for them, which is never used. Privilege tracing is called twice, once for the subject and once for EveryEntity, so the performance hit could happen from either one of them.
I tested a quick circumvention check in the MembershipGroupPath class, and that does improve it. I had thought about just early exiting when the use has no privilege. But later parts of the code do queries on other user relationships, and it was complex enough that I didn't want to assume it wouldn't pull in anything that could be safely shorted.
0001-improve-performance-of-privilege-path-tracer.patch |
From 35b57ccf135390bf366c59aa30ca558f05524729 Mon Sep 17 00:00:00 2001 |
From: Chad Redman <chad_redman@unc.edu> |
Date: Tue, 20 Dec 2016 17:28:03 -0500 |
Subject: [PATCH] improve performance of privilege path tracer
|
|
|
---
|
.../internet2/middleware/grouper/membership/MembershipPathGroup.java | 5 +++++ |
1 file changed, 5 insertions(+) |
|
|
diff --git a/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java b/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java
|
index ed26cf6..779c97e 100644 |
--- a/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java
|
+++ b/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java
|
@@ -949,6 +949,11 @@ public class MembershipPathGroup { |
@Override |
public Object callback(GrouperSession grouperSession) throws GrouperSessionException { |
|
|
+ //if there is no traced path, don't call groupFinder -- with no groupIds it will return all groups |
+ if (GrouperUtil.length(groupIds) == 0) { |
+ return new HashSet<Group>(); |
+ }
|
+
|
GroupFinder groupFinder = new GroupFinder().assignGroupIds(groupIds).assignSubject(callingSubject); |
//this is read since it is more about the groups in groups as members |
groupFinder.assignPrivileges(AccessPrivilege.READ_PRIVILEGES);
|
--
|
2.8.3 |
|