Hi Daniel,
The major drawback of the current ACL implementation is the number of DB
queries required for checking the membership of a user to certain groups.
In most real life scenarios, there are more than 4-5 groups (ex:
disabled, voicemail, GW access, other service access ) - which means for
each INVITE you will have like 2-3 DB queries; and that's only for ACLs!!
So, a new design which will reduce the number of queries is welcomed
(even required).
Even if it's more radical, I will go for option nr 2:
groups will be kept all together as a bit mask (32 groups should be
ok); either in a grp table, either in subscribers table
the mask may be load (in an AVP??) at auth (no extra query) or on
request (only one query for all of them); during all script processing,
any group may be test as many time as wanted without any penalties; also
bitwise checkings will be more fast than string one.
for provisioning and script fixing purposes, a second table will
keep the association between each group name and it's bit mask; at
OpenSER startup, the group name will be converted to bit mask.
Ex:
grp_definition
voicemail , 0x01
PSTN , 0x02
conference, 0x04
grp (subscriber)
userx, 0x03 (voicemail and PSTN)
usery, 0x05 (voicemail and conference)
regards,
bogdan
Daniel-Constantin Mierla wrote:
Hello,
the access control list in openser is based on group membership
checking which does a database query each time when user's ACL is
verified. We are considering to optimize this operations since they
are very often used and propose the following solutions:
1. Load all groups to whom an user belongs once per request processing
(one database query) and then store some bitmap flags to be used
further when doing group checking. At start up time, some fixups will
be made to replace the names with positions in bitmap
- advantages: the old group table structure is used and changes in
script should be minimal
- disadvantages: after loading all group names, string comparisons are
required to set the bitmap
2. Introduce a new column in the subscriber table that stores the ACL
bitmap and load it once per request processing
- advantages: very fast load and checking -- old version of group
membership checking is kept
- disadvantages: more complex provisioning system
What do you think? Any other idea?
Daniel
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users