opendev/gerrit
Code Issues Proposed changes

Perform user.getEffectiveGroups() less eagerly

Browse Source 
Most of the time we used the following pattern to check if a user is
a member of one of the given groups:

  user.getEffectiveGroups().containsAnyOf(groups)

The getEffectiveGroups used to eagerly fetch all groups where this user
belongs to from all registered group backends. This included also
recursive expansion of all LDAP groups this user is a member of. Even
if the set of given groups was consisting of only local Gerrit groups
the code above would still first fetch from all known group backends.
This was particularly bad when using LDAP for user authentication but
not using the LDAP groups otherwise. In large corporate setups a user
could be a member of hundreds of LDAP groups which would all
unnecessarily be fetched just to verify if the user is a member of a
local group.

Introduce the:

  GroupBacked.memberOfAny(user, groups)

to enable a more lazy implementation. The UniversalGroupBackend will
first partition the groups based on their group backends and then only
fetch groups from the involved backends. For an LDAP based Gerrit
instance which doesn't make use of LDAP groups this would effectively
avoid fetching of the LDAP groups for this user.

In our corporate setup this reduces the data transfered between the LDAP
server and a Gerrit instance from 250KB down to 6KB, per user.

Change-Id: I6e3027381cbf4cace454fa0cb9bfc725a2f452fa
This commit is contained in:
Saša Živkov
2015-02-09 13:20:28 +01:00
committed by Edwin Kempin
parent c81291fde0
commit f7569d0cb2
18 changed files with 115 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapGroupBackend.java
View File

@@ -29,7 +29,7 @@ import com.google.gerrit.reviewdb.client.AccountExternalId;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.GroupBackend;
import com.google.gerrit.server.account.AbstractGroupBackend;
import com.google.gerrit.server.account.GroupMembership;
import com.google.gerrit.server.account.ListGroupMembership;
import com.google.gerrit.server.auth.ldap.Helper.LdapSchema;
@@ -59,7 +59,7 @@ import javax.security.auth.login.LoginException;
/**
* Implementation of GroupBackend for the LDAP group system.
*/
public class LdapGroupBackend implements GroupBackend {
public class LdapGroupBackend extends AbstractGroupBackend {
private static final Logger log = LoggerFactory.getLogger(LdapGroupBackend.class);
private static final String LDAP_NAME = "ldap/";