[ https://issues.apache.org/jira/browse/OAK-7870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16671258#comment-16671258 ]
Alex Deparvu commented on OAK-7870: ----------------------------------- [~anchela] what do you think? > Reduce permission store lookups for empty principal sets > -------------------------------------------------------- > > Key: OAK-7870 > URL: https://issues.apache.org/jira/browse/OAK-7870 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core, security > Reporter: Alex Deparvu > Assignee: Alex Deparvu > Priority: Trivial > Fix For: 1.10, 1.9.10 > > Attachments: OAK-7870.patch > > > In the case of empty principal sets in the session (no user principals or no > group principals in the session) it can happen that a check for read access > will trigger a full traversal up the tree to the root node. > Example: A session based on a principal set P = [u0, g0] (u0 is a user, g0 is > a group) tries to load a path /p0/p1/p2/p3. > The evaluation will be: > * first the set P is split in 2 parts by users/groups (X set of user > principals, Y set of group principals) > * first for X (user principals), walk up the tree from the current path > until there is a relevant entry (or root node) > * if nothing was found try again with Y (group principals) up to a relevant > entry or root node > * if X or Y is empty the evaluation will use an empty flag in the > PermissionEntryProviderImpl which will return empty lists. > The trouble is that with en empty sets X or Y there is not a clear > distinction between 'no principals' and 'no entries' so it can happen that > there is a traversal happening from the current path up to root. This can be > bypassed by using a null PermissionEntryProvider instead of the empty version. > The chances that this happens are pretty small, so I'm marking the issue as a > trivial improvement. -- This message was sent by Atlassian JIRA (v7.6.3#76005)