Hi, I looked at the problem again. Removing the mod-count improves concurrency when writing ACLs a lot (about 2 times faster with mongo and 20 threads). the read-performance does not suffer much with the current tests - but then the tests might not be accurate. the permission cache is only used to the everyone permissions, so it will show on systems with many of those.
I also looked at jukkas approach of storing the ACLs in content/:permissions, and it improves concurrency even more (about 3 faster times), but the read performance dropped by 50%. but this was with a stupid algorithm. I think that we can improve the :permissions approach, but also would need to change the way the permissions are exposed in the API/SPI. currently they are orthogonally provided by the PermissionProvider in so called TreePermissions. I think it could simplify a lot, if they would be part of the Tree API with something like Tree.getPermissions(). but this requires more refactoring. bottom line: for now, I'll remove the everyone cache and the mod-count again. after the 1.0 release, we should review the permission store and handling. regards, toby
