jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torgeir Veimo <torg...@pobox.com>
Subject Re: Authorization with ACL and permissions
Date Thu, 27 Sep 2007 11:09:51 GMT
On Thu, 2007-09-27 at 12:51 +0200, Paco Avila wrote:
> El mié, 26-09-2007 a las 21:22 -0700, bilobag escribió:
> > We have decided that our client requires user based authentication for our
> > app.  Now i've seen some posts about people storing an acl list in each
> > node.  However, I am wondering how the performance is for this.  We
> > originally wanted to use a database with hibernate to manage the user node
> > permissions, but it seems like it could be a performance issue considering
> > that we may have to do inserts for hundreds of rows per node (number of
> > users x number of permissions).  I think this would cause a significant
> > performance issue.  If I were to do the same in jackrabbit and store these
> > user permissions in each node, would this be a performance issue?  Is this
> > the recommended method of storing user node permissions?  I currently am
> > using jackrabbit backed by an oracle database.  Any advice is appreciated
> > since we've been discussing this issue for a week now.  Thanks.
> 
> In OpenKM we store user and role in a special node type:
> 
> [mix:accessControlled]
> - okm:authUsersRead (string) multiple mandatory 
> - okm:authUsersWrite (string) multiple mandatory 
> - okm:authRolesRead (string) multiple mandatory 
> - okm:authRolesWrite (string) multiple mandatory 

Just to chime in.. We have the following node type defs for ACLs;

[nen:ace]
- nen:principal (string) mandatory
- nen:action (string) mandatory multiple
- nen:negative (boolean) mandatory

[nen:protected] > mix:referenceable mixin orderable
- nen:owner (string) mandatory multiple
+ *(nen:ace)=nen:ace multiple

since nen:protected is referenceable, you can have a cache with uuid as
key for these, and look up in your AccessManager.


Note that ACL support is being standardized in the next version of JCR,
so you might want to align whatever node type definitions you make with
what is coming, to make the transition easier.

-- 
-Tor


Mime
View raw message