Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1446

performance of the Trace Privileges function

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.3.1, 2.4.0, 2.3.0.patch
    • Component/s: API, UI
    • Labels:
      None

      Description

      The Trace Privileges function in the group privileges tab is performing badly for us. Tracing through the source code, I see that when the user doesn't have one of the privileges (it loops through all 8 of them individually, first as the user, then as EveryEntity), further queries are not being circumvented. Instead, the subsequent query, to ensure the UI session user can view the groups in the path, is being called with a empty list of groups. This results in the query returning every group/role in the database, then creating a set of Group objects for them, which is never used. Privilege tracing is called twice, once for the subject and once for EveryEntity, so the performance hit could happen from either one of them.

      I tested a quick circumvention check in the MembershipGroupPath class, and that does improve it. I had thought about just early exiting when the use has no privilege. But later parts of the code do queries on other user relationships, and it was complex enough that I didn't want to assume it wouldn't pull in anything that could be safely shorted.

      0001-improve-performance-of-privilege-path-tracer.patch
      From 35b57ccf135390bf366c59aa30ca558f05524729 Mon Sep 17 00:00:00 2001
      From: Chad Redman <chad_redman@unc.edu>
      Date: Tue, 20 Dec 2016 17:28:03 -0500
      Subject: [PATCH] improve performance of privilege path tracer
       
      ---
       .../internet2/middleware/grouper/membership/MembershipPathGroup.java | 5 +++++
       1 file changed, 5 insertions(+)
       
      diff --git a/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java b/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java
      index ed26cf6..779c97e 100644
      --- a/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java
      +++ b/grouper/src/grouper/edu/internet2/middleware/grouper/membership/MembershipPathGroup.java
      @@ -949,6 +949,11 @@ public class MembershipPathGroup {
             @Override
             public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
       
      +        //if there is no traced path, don't call groupFinder -- with no groupIds it will return all groups
      +        if (GrouperUtil.length(groupIds) == 0) {
      +          return new HashSet<Group>();
      +        }
      +
               GroupFinder groupFinder = new GroupFinder().assignGroupIds(groupIds).assignSubject(callingSubject);
               //this is read since it is more about the groups in groups as members
               groupFinder.assignPrivileges(AccessPrivilege.READ_PRIVILEGES);
      --
      2.8.3
      
      

        Attachments

          Activity

            People

            • Assignee:
              mchyzer Chris Hyzer
              Reporter:
              cer28 Chad Redman
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: