4 Replies Latest reply on Nov 10, 2008 7:08 PM by Georges Berscheid

    PermissionStore and performance

    Marco Röösli Newbie

      I have a question about the performance from the PermissionStore. Dose it metter if there are millions of rule entrys in the store?
      Is there a maxium limit for the count of the rules? Is the performance depnding on the database? Is the store caching some rules in the memory?


      I guess if the rules will be cached in the memory it would be a problem with the memory (out of memory) right?


      I planed to use the PermissionStore for millions of entrys can this bring a problem? Should I have a look on something or is this a bad idea?


      thx for your feedback


      greetz Marco

        • 1. Re: PermissionStore and performance
          Shane Bryzak Master

          As long as your tables are indexed correctly it should be quite performant.  The most important field that should be indexed is the permission target.

          • 2. Re: PermissionStore and performance
            Georges Berscheid Newbie

            Hi,


            I'm having a similar question regarding performance, especially with a lot of permissions and targets. I'm looking at 2 different scenarios from the seam-space example.


            1) org.jboss.seam.example.seamspace.PictureSearch.loadMemberPictures()

            If I understand correctly, what this method does, is retrieve all the pictures of that particular member, and then filter the list according to the permissions for the current user looking at the pictures (Identity.instance().filterByPermission(memberImages, "view")). The filtering is not done using any backend database queries, but using Java code iterating through the entire list returned by the database. Now, if the member has 10.000 pictures uploaded, but the current user only has permission to view 5 of them, we still have to retrieve all the 10.000 images from the database.



            2) org.jboss.seam.example.seamspace.ImagePermission.editPermission()

            In order to change the permissions for a particular user (recipient) for a particular picture (target), the method first retrieves all the permissions for the target (including those for other recipients / using permissionManager.listPermissions(target)) and then 'manually' filters the ones out that match the recipient we're interested in.


            I know that seam-space is just an example application, but on the other side I didn't find an obvious way using the API to do the same more efficiently.


            Any ideas?


            Thanks a lot,

            Georges

            • 3. Re: PermissionStore and performance
              Shane Bryzak Master

              1) org.jboss.seam.example.seamspace.PictureSearch.loadMemberPictures()

              If I understand correctly, what this method does, is retrieve all the pictures of that particular member, and then filter the list according to the permissions for the current user looking at the pictures (Identity.instance().filterByPermission(memberImages, "view")). The filtering is not done using any backend database queries, but using Java code iterating through the entire list returned by the database. Now, if the member has 10.000 pictures uploaded, but the current user only has permission to view 5 of them, we still have to retrieve all the 10.000 images from the database.


              Unfortunately there's no easy way to incorporate permission filters into a database query like this.  Permissions may be granted either directly to a user or indirectly through a user's role membership, and permission actions can either be stored as a concatenated list of string values, or as a bitmasked values, both of which are difficult to express in a parameterized query.



              2) org.jboss.seam.example.seamspace.ImagePermission.editPermission()

              In order to change the permissions for a particular user (recipient) for a particular picture (target), the method first retrieves all the permissions for the target (including those for other recipients / using permissionManager.listPermissions(target)) and then 'manually' filters the ones out that match the recipient we're interested in.


              The problem with having a listPermissions() method that takes the permission recipient as a parameter is once again because permissions can be assigned indirectly via a user's role memberships.  Perhaps an alternative method called listGrantedPermissions() might be more suitable for returning a list of permissions explicitly granted to a specific recipient.  However, my take on this is that since you're already hitting the database anyway, the fact that you're getting a list of all permission recipients isn't that much of a performance hit.  And if you've got permissions for a single object assigned to more than a small set of recipients then possibly a rule-based permission might be more suitable (this of course this depends on the use-case).


              In any case, if you think a listGrantedPermissions() method might be useful, please raise a feature request in JIRA.

              • 4. Re: PermissionStore and performance
                Georges Berscheid Newbie

                Hi Shane,


                thanks a lot for the comments. I'll try and go figure out how to combine store-based and rule-base permissions in my application.


                Cheers,
                Georges