Currently each resource path is checked for permissions before exposing
it out from the Registry interface. User manager API call is done to
perform this permission check. It may appear that we can avoid this API
call and execute a single SQL statement to get authorized resources
after merging the databases. It would be possible is permissions are
only based on users. But there are some algorithms executed in the user
manager to determine the permissions based on users, roles and
configuration parameters (prioritize allow or deny). It is very hard (if
not impossible) to implement all these algorithms in SQL. So I think we
can't gain performance increase by using combined SQLs to check permissions.
But as Dimuthu, Channa and I discussed, the performance issue of Mooshup
shouldn't be caused by checking permissions. Number of users does not
affect the permission tables and performance of checking permissions.
Krishantha is doing a performance test on Registry by adding large
number (> 150) of users. We will be able to determine the cause of the
problem by profiling the Mooshup and the Registry.
Thanks,
Chathura
Dimuthu Leelarathne wrote:
Hi All,
I have moved all the usermanager code into the registry and updated
Mashup.
We have left couple of major things to do,
-implement the the foreign key constraints on the registry
(this is to be done as soon as handlers problem is fixed)
-implement the hybrid realm - I can start right away
We have observed that Mooshup performance decrease when the number of
users increase.
Current Implementation
=====================
Given the resource_id, user_id and action, we ask from the API whether
there are permissions.
The algorithm complexity is linear on the number of Roles[1]. As the
number of roles in user increases, it will consume more time. But in
Mooshup number of roles per user has not increased.
Another Implementation
======================
We have resource_id and action. We can load all the users and roles
allowed to perform the action on resource_id.
We have decided to do a profiling test. Maybe a caching technique needs
to be implemented.
Regards,
Dimuthu
[1]
if(user has permission){
return;
}else{
for all users in the role{
check role has permission
}
}
_______________________________________________
Registry-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
