[Users] users acl

Bogdan-Andrei Iancu bogdan at voice-system.ro
Sat Jul 16 12:27:40 CEST 2005 

Hi Daniel,

The major drawback of the current ACL implementation is the number of DB 
queries required for checking the membership of a user to certain groups.
In most real life  scenarios, there are more than 4-5 groups (ex: 
disabled, voicemail, GW access, other service access ) - which means for 
each INVITE you will have like 2-3 DB queries; and that's only for ACLs!!

So, a new design which will reduce the number of queries is welcomed 
(even required).

Even if it's more radical, I will go for option nr 2:
    groups will be kept all together as a bit mask (32 groups should be 
ok); either in a grp table, either in subscribers table
    the mask may be load (in an AVP??) at auth (no extra query) or on 
request (only one query for all of them); during all script processing, 
any group may be test as many time as wanted without any penalties; also 
bitwise checkings will be more fast than string one.
    for provisioning and script fixing purposes, a second table will 
keep the association between each group name and it's bit mask; at 
OpenSER startup, the group name will be converted to bit mask.

Ex:
    grp_definition
        voicemail , 0x01
        PSTN , 0x02
        conference, 0x04

    grp (subscriber)
       userx,  0x03     (voicemail and PSTN)
       usery,  0x05     (voicemail and conference)


regards,
bogdan

Daniel-Constantin Mierla wrote:

> Hello,
>
> the access control list in openser is based on group membership 
> checking which does a database query each time when user's ACL is 
> verified. We are considering to optimize this operations since they 
> are very often used and propose the following solutions:
>
> 1. Load all groups to whom an user belongs once per request processing 
> (one database query) and then store some bitmap flags to be used 
> further when doing group checking. At start up time, some fixups will 
> be made to replace the names with positions in bitmap
> - advantages: the old group table structure is used and changes in 
> script should be minimal
> - disadvantages: after loading all group names, string comparisons are 
> required to set the bitmap
>
> 2. Introduce a new column in the subscriber table that stores the ACL 
> bitmap and load it once per request processing
> - advantages: very fast load and checking -- old version of group 
> membership checking is kept
> - disadvantages: more complex provisioning system
>
> What do you think? Any other idea?
>
> Daniel
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>

More information about the Users mailing list