Skip to content

GitLab

Merged
Created by Vincent Pelletier@vpelletierOwner

Optimise security group generation performance

Improvements compared to the previous implementation:

  • avoid looking up the user document again, when the PAS plugin already did that job
  • make it possible to call a single script when multiple sources of groups are based on the same documents, avoiding iterating unnecessarily on those same documents multiple times
  • avoid repeating the same membership value (ex: when a user has multiple assignments with a common membership subset)
  • avoid resolving the same relation more than once
  • do not go from document value to relative URL only to go from relative URL back to document value at the next step
  • move security group id extraction to unrestricted python, as the security overhead was taking a large amount of time

In a security setup with 8 scripts (all Assignment-based), 6 base categories, and applied to a user with 4 Assignments (all valid), this implementation is 10 times faster at producing the same group id set as the previous one.

Some more notes:

  • new ERP5 instances will use this new way out of the box (unless the old scripts are installed/created, in which case they take precedence)
  • existing instances upgraded to this code keep using the old scripts, which have to be modified to follow the new API and deleted in order to benefit from the speedup

Here is the mapping:

previous implementation this implementation nature of changes you must do if you customised the previous implementation
ERP5Type_asSecurityGroupId ERP5Type_asSecurityGroupIdSet It depends on how much you customised it. Ideally, you should only have to override it with something like **kw: return context.skinSuper(..., script.id)(key_sort=..., **kw) key_sort argument must be a callable which accepts one positional argument (a dict with base category ids as keys) and returns any iterable returning keys from category_dict - keys which do not appear in category_dict will be silently ignored. If you customised it more, then you should remove relative URL traversal and * detection logic and use the received document values and boolean as replacements.
ERP5Type_getSecurityCategoryMapping ERP5User_getUserSecurityCategoryValueList At the very least calling the script the previous implementation was listing - but you would be missing a big part of the performance gains. At most you should implement new versions of such scripts which support fetching multiple combinations of base categories from a single document, and which returns documents (typically: categories) instead of base-category-relative paths. See getSecurityCategoryValueFromAssignment for an example loading assignments only once.
Edited by Vincent Pelletier
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7