[Registry-dev] Re: UserManager Registry Merge Status

Chathura C. Ekanayake chathura at wso2.com
Mon Mar 3 07:40:48 PST 2008 

Currently each resource path is checked for permissions before exposing 
it out from the Registry interface. User manager API call is done to 
perform this permission check. It may appear that we can avoid this API 
call and execute a single SQL statement to get authorized resources 
after merging the databases. It would be possible is permissions are 
only based on users. But there are some algorithms executed in the user 
manager to determine the permissions based on users, roles and 
configuration parameters (prioritize allow or deny). It is very hard (if 
not impossible) to implement all these algorithms in SQL. So I think we 
can't gain performance increase by using combined SQLs to check permissions.

But as Dimuthu, Channa and I discussed, the performance issue of Mooshup 
shouldn't be caused by checking permissions. Number of users does not 
affect the permission tables and performance of checking permissions. 
Krishantha is doing a performance test on Registry by adding large 
number (> 150) of users. We will be able to determine the cause of the 
problem by profiling the Mooshup and the Registry.

Thanks,
Chathura

Dimuthu Leelarathne wrote:
> Hi All,
>
> I have moved all the usermanager code into the registry and updated
> Mashup.
>
> We have left couple of major things to do,
>
> -implement the the foreign key constraints on the registry
> (this is to be done as soon as handlers problem is fixed)
>
> -implement the hybrid realm - I can start right away
>
> We have observed that Mooshup performance decrease when the number of
> users increase. 
>
> Current Implementation
> =====================
> Given the resource_id, user_id and action, we ask from the API whether
> there are permissions. 
> The algorithm complexity is linear on the number of Roles[1]. As the
> number of roles in user increases, it will consume more time. But in
> Mooshup number of roles per user has not increased.
>
> Another Implementation
> ======================
> We have resource_id and action. We can load all the users and roles
> allowed to perform the action on resource_id.
>
> We have decided to do a profiling test. Maybe a caching technique needs
> to be implemented.
>
> Regards,
> Dimuthu
>
>
> [1]
> if(user has permission){
> 	return;
> }else{
>   for all users in the role{
> 	check role has permission
>   }	
>
> }
>
>
>

More information about the Registry-dev mailing list