Forum OpenACS Development: Thread-only permissions caching

Collapse
1: Thread-only permissions caching
Posted by Lars Pind on 11/25/03 01:02 PM
I looked into caching permission checks in a global variable, so it's only cached within a single thread.

It's cheap and safe, because permissions typically don't change within a single thread, so we don't have the complications with flushing the cache.

On the other hand, it doesn't help all that much. Anecdotal evidence suggests only about one to three permission checks on a typical page are redundant (read/admin on main site).

Is this something I should put in on HEAD? Or are there other permissions improvement schemes in the works?

A related question: On the subsite index page, I currently get the list of packages and subsites using the site-map, then do individual calls to permission::permission_p to check if the user has read on them.

Would it be better to rewrite this as a single query that queries the site-map and does permission_p in the where clause?

/Lars

Collapse
2: Re: Thread-only permissions caching (response to 1)
Posted by Lars Pind on 11/25/03 01:11 PM
An alternative scheme would be cache permissions in an nsv, but flush the entire thing on any permissions grant/revoke. Wait, it would also have to be flushed on any group membership change.

Would that cover it? It should still be an improvement over what we have today.

We also talked about caching permissions for 'read' for The Public and Registered Users specifically. Or 'read' for Public and Registered on all packages, at least. What's the status on that?

/Lars

Collapse
3: Re: Thread-only permissions caching (response to 2)
Posted by Jeff Davis on 11/25/03 01:28 PM
I don't think permissions caching is really worth it with the changes Don made (typical times for a perm check are on the order of a few ms) and getting it right is pretty hard since a lot of group manipulation does not go through a tcl api.

Caching read for public probably does make sense though; Don talked about doing this but I don't know if there is any code anywhere for it.

And yes, you should use the permissions view in the subsites/packages query rather than issuing queries after the fact.

Collapse
4: Re: Thread-only permissions caching (response to 3)
Posted by Lars Pind on 11/25/03 01:47 PM
Joining with acs_permissions_all view is the preferred way to go?

/Lars

Collapse
5: Re: Thread-only permissions caching (response to 1)
Posted by Don Baccus on 11/25/03 09:24 PM
acs_object_party_privilege_map or whatever the heck it is called is what you should join against - look for examples with grep elsewhere that use "exists" to check that the correct permission exists for the semantics you're trying to enforce with your query.

Calling permission_p from the Tcl level for each row is bound to be the slowest approach.

General rule of thumb:

1. To return permissions a user has on an object, call permission_p in the query for each row returned.  In other words, to return (say) "admin_p" for an object a user has read perm on.

2. To restrict a query to return rows restricted by a permission check, use an "exists" clause as described above.

NEVER call permission_p in the where clause of your query.  NEVER.  Too slow.