Hello,
the access control list in openser is based on group membership checking which does a database query each time when user's ACL is verified. We are considering to optimize this operations since they are very often used and propose the following solutions:
1. Load all groups to whom an user belongs once per request processing (one database query) and then store some bitmap flags to be used further when doing group checking. At start up time, some fixups will be made to replace the names with positions in bitmap - advantages: the old group table structure is used and changes in script should be minimal - disadvantages: after loading all group names, string comparisons are required to set the bitmap
2. Introduce a new column in the subscriber table that stores the ACL bitmap and load it once per request processing - advantages: very fast load and checking -- old version of group membership checking is kept - disadvantages: more complex provisioning system
What do you think? Any other idea?
Daniel