[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal: User 'Everybody'

To: uu@total-knowledge.com
Subject: Re: Proposal: User 'Everybody'
From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
Date: Sun, 15 Apr 2007 23:12:23 -0700
Delivered-to: mailing list uu@total-knowledge.com
In-reply-to: <a75bc3cf0704151827s41aea7d5xe675db51c4bdadc1@mail.gmail.com>
Mailing-list: contact uu-help@total-knowledge.com; run by ezmlm
Organization: Total Knowledge
References: <a75bc3cf0704081934p7c55595k56ee75415b160bc2@mail.gmail.com> <46210017.60709@total-knowledge.com> <42812.76.83.147.118.1176611353.squirrel@webmail.total-knowledge.com> <4621E958.2050705@total-knowledge.com> <a75bc3cf0704150624j182c5ad6wa4ff5b3e8cb4b66a@mail.gmail.com> <46224264.7070407@total-knowledge.com> <a75bc3cf0704151642p424c7ecamd5ce94f5608abcf6@mail.gmail.com> <4622BAB7.2030702@total-knowledge.com> <a75bc3cf0704151708q1bf9574ch8059600887e50f41@mail.gmail.com> <4622CA64.3000106@total-knowledge.com> <a75bc3cf0704151827s41aea7d5xe675db51c4bdadc1@mail.gmail.com>
User-agent: Thunderbird 1.5.0.10 (X11/20070312)

Alexey Parshin wrote:
> What we are changing is at least:
>
> 1) Adding group_list table with groups.
> 2) Adding user_to_group table to include user into group
> 3) Changing ACLs from referring to person_list to referring to group_list
>
> The most concern is that instead of simple query to get an ACL like:
>
> SELECT tla_access FROM topic_list_acl
> WHERE tla_person = ? and tla_topic = ?
>
> we would have:
>
> SELECT tla_access FROM topic_list_acl, user_to_group
> WHERE
>     utg_group = tla_group AND utg_person = ?
>     AND tla_topic = ?
>
> Of course, I may make a compound index on (utg_group,utg_person) but
> we still have a join never the less.
>
> Creating a temp table with materialized view of ACLs for that user
> would speed it up, IF we have persistent connection that is controlled
> by the session id. Otherwise - the generation of such temp table may
> slow us down. BUT, if we make this persistent connection, then we
> cannot change user's permission while that user is logged in :(
You know that connection-per-session is no-go.
Now, temp table with only user's groups will speed things up -
if we have to do more then one permission check per request.
Otherwise we'll have to live with joins like above, which, I agree,
sucks. However, these are implementation details, and they still
lack actual numbers. And I still didn't see anything that would
be bad from user's POV.
Another thing temp table may help with is special-casing some groups
(i.e. Everybody).

>
> 2007/4/16, Ilya A. Volynets-Evenbakh <ilya@total-knowledge.com
> <mailto:ilya@total-knowledge.com>>:
>
>     Alexey Parshin wrote:
>     > I think, we're opening a can of worms here.
>     I'd like to hear specifics please :)
>     > Having group-level security slows us down, but what do we have as
>     > advantage?
>     Easier management.  Previously we didn't have any provisions for
>     differentiating
>     between groups of users of objects.
>     > I know how to implement it, it's just little bit strange.
>     What is strange about groups?
>     > So, if you really want it - I'd start changing schema.
>     I am still undecided. If you show me some real problems, I may change
>     my mind. If you can quantify performance impact, it'd help
>     decision-making
>     too.
>     > It also means that I'd have to redo most of the work done for
>     last two
>     > weeks :(
>     Well, things do not change _that_ much - we just replace users with
>     groups in
>     access checking procedures..
>     >
>     > 2007/4/16, Ilya A. Volynets-Evenbakh < ilya@total-knowledge.com
>     <mailto:ilya@total-knowledge.com>
>     > <mailto:ilya@total-knowledge.com
>     <mailto:ilya@total-knowledge.com>>>:
>     >
>     >     Alexey Parshin wrote:
>     >     > I'm reading your e-mails. I just don't see the need to
>     work with
>     >     > single-user groups, at least - I'd prefer not to create such
>     >     groups as
>     >     > a part of user-creation process.
>     >     How do you grant access to individual users then? Create a
>     >     new single-user group every time it's needed?
>     >     > Also, creating a group 'Everybody' would probably simplify a
>     >     > permission search but it would also slow it down. I
>     propose to
>     >     create
>     >     > such group but don't include anyone in there - we can
>     simply assume
>     >     > all the users are there in our SQL.
>     >     So, you want to special-case it? Wouldn't that slow things down
>     >     just as
>     >     well?
>     >     Although.. I guess we could populate groups temp table with
>     group
>     >     Everybody,
>     >     without having data in permanent table.. Hmm.. I'll say -
>     your call..
>     >     >
>     >     > 2007/4/16, Ilya A. Volynets-Evenbakh
>     <ilya@total-knowledge.com <mailto:ilya@total-knowledge.com>
>     >     <mailto:ilya@total-knowledge.com
>     <mailto:ilya@total-knowledge.com>>
>     >     > <mailto: ilya@total-knowledge.com
>     <mailto:ilya@total-knowledge.com>
>     >     <mailto:ilya@total-knowledge.com
>     <mailto:ilya@total-knowledge.com>>>>:
>     >     >
>     >     >     Man, aren't you reading my mails? ;-)
>     >     >     If you need to give access to single individual, you use
>     >     >     their personal group. This avoids having to search
>     through
>     >     >     two tables, thus making code simpler.
>     >     >
>     >     >     Alexey Parshin wrote:
>     >     >     > What's the idea behind a group per person?
>     >     >     >
>     >     >     >
>     >     >     > < http://www.sptk.net>
>     >     >
>     >     >     --
>     >     >     Ilya A. Volynets-Evenbakh
>     >     >     Total Knowledge. CTO
>     >     >     http://www.total-knowledge.com
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > --
>     >     > Alexey Parshin,
>     >     > http://www.sptk.net
>     >
>     >     --
>     >     Ilya A. Volynets-Evenbakh
>     >     Total Knowledge. CTO
>     >     http://www.total-knowledge.com <http://www.total-knowledge.com>
>     >
>     >
>     >
>     >
>     > --
>     > Alexey Parshin,
>     > http://www.sptk.net
>
>     --
>     Ilya A. Volynets-Evenbakh
>     Total Knowledge. CTO
>     http://www.total-knowledge.com
>
>
>
>
> -- 
> Alexey Parshin,
> http://www.sptk.net 

-- 
Ilya A. Volynets-Evenbakh
Total Knowledge. CTO
http://www.total-knowledge.com

Follow-Ups:
- Re: Proposal: User 'Everybody'
  - From: "Alexey Parshin" <alexeyp@gmail.com>

References:
- Proposal: User 'Everybody'
  - From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: Proposal: User 'Everybody'
  - From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: Proposal: User 'Everybody'
  - From: sergey@total-knowledge.com
- Re: Proposal: User 'Everybody'
  - From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: Proposal: User 'Everybody'
  - From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: Proposal: User 'Everybody'
  - From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: Proposal: User 'Everybody'
  - From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: Proposal: User 'Everybody'
  - From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: Proposal: User 'Everybody'
  - From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: Proposal: User 'Everybody'
  - From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: Proposal: User 'Everybody'
  - From: "Alexey Parshin" <alexeyp@gmail.com>

Prev by Date: Re: Proposal: User 'Everybody'
Next by Date: Re: Proposal: User 'Everybody'
Previous by thread: Re: Proposal: User 'Everybody'
Next by thread: Re: Proposal: User 'Everybody'
Index(es):
- Date
- Thread

UniverseUniversity

uu

Re: Proposal: User 'Everybody'