You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Alex Deparvu (JIRA)" <ji...@apache.org> on 2018/11/01 08:30:00 UTC

[jira] [Created] (OAK-7870) Reduce permission store lookups for empty principal sets

Alex Deparvu created OAK-7870:
---------------------------------

             Summary: Reduce permission store lookups for empty principal sets
                 Key: OAK-7870
                 URL: https://issues.apache.org/jira/browse/OAK-7870
             Project: Jackrabbit Oak
          Issue Type: Improvement
            Reporter: Alex Deparvu
            Assignee: Alex Deparvu


In the case of empty principal sets in the session (no user principals or no group principals in the session) it can happen that a check for read access will trigger a full traversal up the tree to the root node.

Example: A session based on a principal set P = [u0, g0] (u0 is a user, g0 is a group) tries to load a path /p0/p1/p2/p3.
The evaluation will be:
 * first the set P is split in 2 parts by users/groups (X set of user principals, Y set of group principals)
 * first for X (user principals), walk up the tree from the current path until there is a relevant entry (or root node)
 * if nothing was found try again with Y (group principals) up to a relevant entry or root node
 * if X or Y is empty the evaluation will use an empty flag in the PermissionEntryProviderImpl which will return empty lists.

The trouble is that with en empty sets X or Y there is not a clear distinction between 'no principals' and 'no entries' so it can happen that there is a traversal happening from the current path up to root. This can be bypassed by using a null PermissionEntryProvider instead of the empty version.

The chances that this happens are pretty small, so I'm marking the issue as a trivial improvement.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)