Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-7870

Reduce permission store lookups for empty principal sets



    • Type: Improvement
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.10.0, 1.9.10
    • Component/s: core, security
    • Labels:


      In the case of empty principal sets in the session (no user principals or no group principals in the session) it can happen that a check for read access will trigger a full traversal up the tree to the root node.

      Example: A session based on a principal set P = [u0, g0] (u0 is a user, g0 is a group) tries to load a path /p0/p1/p2/p3.
      The evaluation will be:

      • first the set P is split in 2 parts by users/groups (X set of user principals, Y set of group principals)
      • first for X (user principals), walk up the tree from the current path until there is a relevant entry (or root node)
      • if nothing was found try again with Y (group principals) up to a relevant entry or root node
      • if X or Y is empty the evaluation will use an empty flag in the PermissionEntryProviderImpl which will return empty lists.

      The trouble is that with en empty sets X or Y there is not a clear distinction between 'no principals' and 'no entries' so it can happen that there is a traversal happening from the current path up to root. This can be bypassed by using a null PermissionEntryProvider instead of the empty version.

      The chances that this happens are pretty small, so I'm marking the issue as a trivial improvement.


        1. OAK-7870.patch
          3 kB
          Alex Deparvu



            • Assignee:
              stillalex Alex Deparvu
              stillalex Alex Deparvu
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: