Hi -- Chris Darroch wrote:
> Much appreciated, but alas, Justin pointed out a serious conflict > in mod_authz_svn, and more generally, various modules may exist out > there that are also expecting authnz functions to be called for every > sub-request that has a different URI/filepath. [snip] > This optimization in httpd would be possible if it could assume > its config files contained a complete description of all the per-directory > authnz configurations. But, as noted in the SVN docs, some modules > like mod_authz_svn may provide authnz functions that do per-directory > discriminations based on data from outside the httpd config files. > They can do this because of the way sub-request per_dir_config data > is handled now. Since there's no way for httpd to know about such > external per-directory authnz discriminations, we can't add the walk > cache optimizations as I first wrote them. > > Maybe in 3.x they could be added this way, but I'd prefer to see > them arrive a little sooner, if at all possible. Thinking about it > last night, what I thought might work is for httpd to assume that > any module that provides authnz functions is by default "unsafe for > walk cache optimization". However, the majority -- maybe all -- of > the authnz modules in the httpd distribution could explicitly set > a flag which indicates that they're "safe". If no modules are loaded > that are unsafe, then the optimization could be done, otherwise the > old behaviour would be the default. Existing external modules would > continue to work as before. I've revised my patch set for httpd trunk to do something like what's described above; it's available at: http://people.apache.org/~chrisd/patches/walk_cache/ Briefly, the walk cache changes I made earlier are still in place, but sub-requests and internal redirects only share the initial request's per_dir_config if ap_auth_initial_req_only() returns true. Otherwise, they get their own private copy, as before. The new function ap_auth_initial_req_only() simply returns the AND'ed value of two optional functions, one each for authn and authz. These functions return true or false depending on whether any authn or authz providers were registered using the old "unsafe for walk cache optimization" version code. If none were -- as should usually be the case for most installations -- then optimization can proceed. The main trick here is that instead of the hard-coded version string "0" for authn/z providers, AUTHN/Z_PROVIDER_VERSION_ALL_REQ and AUTHN/Z_PROVIDER_VERSION_INITIAL_REQ are defined. Also, instead of doing ap_lookup_provider() directly, ap_authn_lookup_provider() and ap_authz_lookup_provider() should be used instead. These check first for a "better" INITIAL_REQ version, then fall back to the ALL_REQ version. Based on a somewhat speedy evaluation, I don't see any authn/z modules that would require the ALL_REQ version -- that is, anything which works like mod_authz_svn, and discriminates between requests on the basis of URLs (using configuration information other than the normal httpd configuration directives). I won't check this in anytime soon, because I'd like to hear if anyone can think of additional problems, or has issues with this proposed solution. Fire away! Thanks, Chris. -- GPG Key ID: 366A375B GPG Key Fingerprint: 485E 5041 17E1 E2BB C263 E4DE C8E3 FA36 366A 375B
