You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2016/12/21 19:49:57 UTC
svn commit: r1775552 - in /subversion/branches/authzperf: BRANCH-README
subversion/libsvn_repos/authz.c
Author: stefan2
Date: Wed Dec 21 19:49:57 2016
New Revision: 1775552
URL: http://svn.apache.org/viewvc?rev=1775552&view=rev
Log:
On the authzperf branch:
Implement the short-cut suggested in the Wiki - use the combined access
rights that the user has of the respective repo and try to answer the
authz requested based on that.
This is fairly efficient but currently not as efficient as it could be
since the global authz model can't tell when $authenticated or the default
rules never apply to a specific user.
* BRANCH-README
(TODO, DONE): Last todo for this branch is done now.
* subversion/libsvn_repos/authz.c
(authz_user_rules_t): Add field for the global / aggregated access rights.
(get_user_rules): Set the new field.
(svn_repos_authz_check_access): Use the new field to short-cut the request
and to not create the filtered tree.
Modified:
subversion/branches/authzperf/BRANCH-README
subversion/branches/authzperf/subversion/libsvn_repos/authz.c
Modified: subversion/branches/authzperf/BRANCH-README
URL: http://svn.apache.org/viewvc/subversion/branches/authzperf/BRANCH-README?rev=1775552&r1=1775551&r2=1775552&view=diff
==============================================================================
--- subversion/branches/authzperf/BRANCH-README (original)
+++ subversion/branches/authzperf/BRANCH-README Wed Dec 21 19:49:57 2016
@@ -13,7 +13,6 @@ TODO:
* remove no-op escape sequences from wildcard rule segments
* implement lookup access rights
-* use a user's accumulated "global" access rights where sufficient
DONE:
@@ -44,3 +43,4 @@ DONE:
* add fast lookup path for in-repository authz files
* support in-registry authz
* correct the global <-> per-repo rule precedence to match 1.9 behavior
+* use a user's accumulated "global" access rights where sufficient
Modified: subversion/branches/authzperf/subversion/libsvn_repos/authz.c
URL: http://svn.apache.org/viewvc/subversion/branches/authzperf/subversion/libsvn_repos/authz.c?rev=1775552&r1=1775551&r2=1775552&view=diff
==============================================================================
--- subversion/branches/authzperf/subversion/libsvn_repos/authz.c (original)
+++ subversion/branches/authzperf/subversion/libsvn_repos/authz.c Wed Dec 21 19:49:57 2016
@@ -1388,6 +1388,9 @@ struct authz_user_rules_t
* May be empty but never NULL for used entries. */
const char *repository;
+ /* The combined min/max rights USER has on REPOSITORY. */
+ authz_rights_t global_rights;
+
/* Root of the filtered path rule tree.
* Will remain NULL until the first usage. */
node_t *root;
@@ -1455,6 +1458,9 @@ get_user_rules(svn_authz_t *authz,
authz->filtered->lookup_state = create_lookup_state(pool);
authz->filtered->root = NULL;
+ svn_authz__get_global_rights(&authz->filtered->global_rights,
+ authz->full, user, repos_name);
+
return authz->filtered;
}
@@ -1672,6 +1678,31 @@ svn_repos_authz_check_access(svn_authz_t
(repos_name ? repos_name : AUTHZ_ANY_REPOSITORY),
user);
+ /* In many scenarios, users have uniform access to a repository
+ * (blanket access or no access at all).
+ *
+ * In these cases, don't bother creating or consulting the filtered tree.
+ */
+ if ((rules->global_rights.min_access & required) == required)
+ {
+ *access_granted = TRUE;
+ return SVN_NO_ERROR;
+ }
+
+ if ((rules->global_rights.max_access & required) != required)
+ {
+ *access_granted = FALSE;
+ return SVN_NO_ERROR;
+ }
+
+ /* No specific path given, i.e. looking for anywhere in the tree? */
+ if (!path)
+ {
+ *access_granted =
+ ((rules->global_rights.max_access & required) == required);
+ return SVN_NO_ERROR;
+ }
+
/* Did we already filter the data model? */
if (!rules->root)
SVN_ERR(filter_tree(authz, pool));