[SAK-18459] OSP role-based authorization is far too inefficient Created: 04-May-2010  Updated: 09-Aug-2010  Resolved: 07-May-2010

Status: CLOSED
Project: Sakai
Component/s: OSP: Other
Affects Version/s: 2.6.0, 2.7.0
Fix Version/s: 2.7.0

Type: Bug Priority: Critical
Reporter: Noah Botimer Assignee: Noah Botimer
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depend
depends on SAK-38811 Need a way to retrieve multiple roles... CLOSED

 Description   

When authorizing items such as forms or presentations, the algorithm used can be very inefficient. The WorksiteAwareAuthorizationFacade checks every site to which the viewer belongs by retrieving them from the AuthzGroupService individually. The entire set is retrieved from the database on each check, incurring a large penalty for users who belong to many sites.

There is a kernel issue recorded as KNL-488 to offer a new method to check the user's roles more efficiently. There is a dependent patch required to OSP to take advantage of this method.



 Comments   
Comment by Noah Botimer [ 04-May-2010 ]

The patch committed to a branch in r77120 attempts to be as efficient as possible for checking authorization by doing the following:

  • Unconditionally checking if the user has direct access to the object for the specified function, before handling roles
  • Retrieving the set of permitted roles for the object/function before checking any roles for the user
  • Using the set of realms where at least one role is permitted as a filter to search for realms where the user has a permitted role
  • Using the new AuthzGroupService.getUserRoles method to perform the search efficiently at the database, rather than iterating
Comment by Noah Botimer [ 07-May-2010 ]

Verified fix on nightly2:8082 (Oracle 10g) trunk, r77254. SAK-18459 works properly for owner (allow), reviewer (allow site role), external evaluator (allow user-object), site evaluator (allow role-object), admin (allow), other learner (deny), and unaffiliated users (deny).

Comment by Jonathan Cook (Inactive) [ 13-May-2010 ]

2.7.x, r77438 r77439

Comment by Noah Botimer [ 09-Aug-2010 ]

Removing 2.8.0 version as this was released in the initial 2.7.0 version.

Generated at Mon Sep 23 09:59:50 CDT 2019 using Jira 8.0.3#800011-sha1:073e8b433c2c0e389c609c14a045ffa7abaca10d.