[
https://issues.apache.org/jira/browse/OAK-7870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Deparvu updated OAK-7870:
------------------------------
Component/s: security
core
> Reduce permission store lookups for empty principal sets
> --------------------------------------------------------
>
> Key: OAK-7870
> URL: https://issues.apache.org/jira/browse/OAK-7870
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security
> Reporter: Alex Deparvu
> Assignee: Alex Deparvu
> Priority: Trivial
> Fix For: 1.10, 1.9.10
>
>
> In the case of empty principal sets in the session (no user principals or no
> group principals in the session) it can happen that a check for read access
> will trigger a full traversal up the tree to the root node.
> Example: A session based on a principal set P = [u0, g0] (u0 is a user, g0 is
> a group) tries to load a path /p0/p1/p2/p3.
> The evaluation will be:
> * first the set P is split in 2 parts by users/groups (X set of user
> principals, Y set of group principals)
> * first for X (user principals), walk up the tree from the current path
> until there is a relevant entry (or root node)
> * if nothing was found try again with Y (group principals) up to a relevant
> entry or root node
> * if X or Y is empty the evaluation will use an empty flag in the
> PermissionEntryProviderImpl which will return empty lists.
> The trouble is that with en empty sets X or Y there is not a clear
> distinction between 'no principals' and 'no entries' so it can happen that
> there is a traversal happening from the current path up to root. This can be
> bypassed by using a null PermissionEntryProvider instead of the empty version.
> The chances that this happens are pretty small, so I'm marking the issue as a
> trivial improvement.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
