complex ACL and performance impact?

cancel
Showing results for 
Search instead for 
Did you mean: 
LiamMichael
Member II

complex ACL and performance impact?

Hello,

I have rather complex requirements for access rights, it will end up with lots of groups and users assigned to the node (folder) without inheritng permissions. I wonder will it affect search and retreival performance? It seems to work fine in dev environemnt with small number of folders and limited number of groups but I would like to know what happens when repository starts to grow? I am worried that permision evaluation may impact performance.

Is there any general recomendation to stay on the safe side?

Thank you!

3 Replies
abhinavmishra14
Moderator
Moderator

Re: complex ACL and performance impact?

"It is a best practice to not break the inheritance as much as possible"

It will eventually impact the search performance as your list grows. Limiting number of users to a group and add groups may be helpful in your case. You should prefer to do a round testing with N set of users/groups and measure the impact before deciding to take this approach to production system. 

Huge number of users/groups without inheritance can even cause acl trackers to fail as well due to heavy payload being sent to solr nodes. 

 @angelborroy   @afaust  Can provide better details

 

~Abhinav
(ACSCE, AWS SAA-C02, GAIQ)
luca_ow
Active Member

Re: complex ACL and performance impact?

Hi @abhinavmishra14, could you please explain me better what you mean by "Huge number of users/groups without inheritance can even cause acl trackers to fail as well due to heavy payload being sent to solr nodes. "? How to identify this kind of problems?

I am in a similar situation: a lot of users/groups and low inheritance usage (Alfresco 5.2 instance with about 7 milion nodes).

Often the customer contacts us because some documents are not available in search results (Solr query).
The same query run as "admin" retrives all the expected results; it looks like the "bad" nodes are indexed but there is something wrong with ACL in Solr.

Reindexing a specific node by nodeId (https://localhost:8443/solr4/admin/cores?action=REINDEX&nodeid={nodeid}) or txid (https://localhost:8443/solr4/admin/cores?action=REINDEX&txid={txid}) solves the problem.

No errors in solr (or Alfresco) logs.

Many thanks

abhinavmishra14
Moderator
Moderator

Re: complex ACL and performance impact?

Huge number of users/groups without inheritance can even cause acl trackers to fail as well due to heavy payload being sent to solr nodes. "  --> When you a lot of folders/files where you have disabled the permission inheritance, then it would degrade the performance of queries

It is recommended to make more and more use of groups in this situation and add users requiring appropriate permissions to the groups. 

Write a script/webscript to find out nodes where you have disabled the inheritance, analyse and tune it accordingly. 

Admin bypasses the permissions that's why you get proper results. 

Enable following logs and see if you can find something:

log4j.logger.org.alfresco.repo.jscript.ScriptLogger=debug
log4j.logger.org.alfresco.repo.transaction.RetryingTransactionHelper=INFO
log4j.logger.org.alfresco.solr.query.AbstractQParser=DEBUG
log4j.logger.org.alfresco.repo.search.impl.solr.SolrQueryHTTPClient=DEBUG

 

Also have a look at this tech talk on permissions:

https://www.alfresco.com/video/tech-talk-live-think-twice-changing-permissions-demand?mkt_tok=eyJpIjoiTVRBd1lqZG1NRFEzTm1ZeCIsInQiOiJaRmxaWmtRRHJiMFV3alVIRWxwZG9iREx4TzlHdlZFekU1UUU3V0pPeWFKeWdmNVFkTGRMQUxLSk1nUjdzNmF6N0htV1IrNnprZWhVaHBKeHQ2V2hvVHAzc3NBSkNIcW9lSnJsYVNhckZKZEd2WU5kUjVzWjdwcmloYmRBWEFUeSJ9

 

 

~Abhinav
(ACSCE, AWS SAA-C02, GAIQ)