Matt Russell: Optimising local role security

published Oct 29, 2014, last modified Nov 16, 2014

Talk by Matt Russell at the Plone Conference 2014 in Bristol.

This talk is about experimental security indexing.

What is the problem we are trying to solve? Performing operations on the sharing tab can take very long, for large sites. There are complex hierarchies around the problem, the allowedRolesAndUsers index in the portal_catalog. Depending on the number of objects that are affected, a request can timeout or worse.

Local roles can be assigned to any user, stored in __acl_local_roles__ on the context, inherited by default.

For the Plone Intranet Project, we started working on this: Matt Hamilton, Ben Cole, and me.

Various approaches were attempted.

  • Using PAS groups to represent groups of permissions or roles. You then assign users to these groups. Can become a lot of groups, that you preferably do not want to see.
  • Implementing a show tree as a ZCatalog index: https://github.com/netsight/experimental.localrolesindex Abandoned, because it was too complex at a wrong level.

Current implementation: https://github.com/netsight/experimental.securityindexing

Patches the reindexObjectSecurity method for each content type. A utility stores a shadow tree, mirroring the live site. Stores a hash of the local roles. Make sure the security is only reindexed if the local roles change. Some subscribers to make sure the tree is kept up to date.

  • Keep shadow tree up to date.
  • Compute hash of local roles.
  • Reindex the main object.
  • Compute hash of local roles again.
  • If the local roles are the same, do nothing more with the children.
  • If applicable, do the same for the children, grandchildren, etc.

We did benchmarks, showing that this solution is a lot faster, both for Archetypes and Dexterity.

Next phase is to test it extensively on some real world scenarios and sites, and make sure it meets the workspace requirements for Plone Intranet.

Don't go into the ZMI and add local roles there, or do other stuff that Plone does not know about. Don't clear the allowedRolesAndUsers index.

The buildout extends the Plone 4.3 core development buildout and somehow the speed gain is much less; I don't know yet why that is the case.

If you have a project where you have this problem, try it out, for now on a development instance. You could also try to install the [benchmark] extra, generating benchmark-at and benchmark-dx scripts to create sample data and time it.

Watch the video of this talk.