clinton has asked for the wisdom of the Perl Monks concerning the following question:

I am trying to write a module which handles flexible role based inheritable privileges, is fast and yet accurate... Apologies ahead of time as my terminology may be inaccurate and I know little about the theory behind such systems.

Update
I've often looked through CPAN for a module that handles privileges like this, but without success - would this be worth CPANing?

Functionality

There are a fixed set of assignable privileges (eg): View, Create, Edit, Delete, Admin and Deny, where Admin grants all other privileges automatically, and Deny overrides all the other privileges including Admin.
There is a subject and an object, where the subject (eg a user) is granted privileges against an object (eg a photo album). The subject and object could be any object in the system, but usually a subject would be either a user or a group.
Both subjects and objects could be members of groups which have their own privileges assigned, and these in turn can belong to other groups.
The reported privileges that a subject has against an object thus depends on the privileges inherited from all the groups that are involved.

It's this last point that provides both the flexbility and the slowdown.

Example

The group All Users has View privileges granted to all members of the group All Albums
The group Call Centre has Edit privileges against all Albums
The group Admins has Admin privileges against All Albums
The group Joe's Album Group has Admin privileges against Joe's Album
Joe is a member of Joe's Album Group and thus has Admin privileges against Joe's Album.
etc...

But this inheritance means a lot of checking for intersections betweens subjects and objects. With a reasonably flat structure, i could easily be checking 60+ combinations of subject and object. So how do I improve the performance?

Design

Any assigned privileges are stored in a table keyed on subject_id and object_id
When the privilege level is requested, the module looks for a directly assigned privilege between the subject and object.
It also find the groups that both the subject and object belong to, and requests the inherited privilege from each combination of the above. These values are ORed together and then reported as the inherited privilege.
When an inherited privilege is reported, that value is cached to (eg) disk for (eg) 60 seconds.
It is also cached in memory for the duration of this request (this is running in mod_perl, by the way), so that if the same combination of subject/object is requested again , it should be very quick.

Problems with design

This is all well and good but there are three problems:

It should be possible to cache the inherited privileges for longer than 60 seconds to make the whole process a lot more responsive.
When a higher level permission changes, it should immediately be reflected in the inherited privileges - ie the cache beneath that intersection of subject/object should be cleared.
When running on multiple servers, I don't want inconsistent privileges being reported because there is different information in the local cache of each machine.

Memcached?

memcached would help with the cache consistency across machines, but is probably slower than having a local file cache
the problem of clearing out all cached inherited privileges below the intersection of a particular subject/object requires that the cached value is keyed against both subject and object rather than (eg) subjectID_objectID, and entries in memcached have a single key.

Proposed solution

My idea is to use a MySQL table which has the columns: subject_id, object_id, assigned_privilege, inherited_privilege
assigned_privilege would represent a fixed assignment between the subject and object (eg granting All Users Viewing rights against All Albums)
inherited_privilege would be the cached calculated value
So, the user John may not have any directly assigned privileges against Joe's Album, but because he is a member of the group Call Centre and Joe's Album is a member of All Albums, he has an inherited Edit privilege granted to him
This would allow me to
- flush any inherited privileges when either the subject or the object changes
- cache all inherited privileges indefinitely and
- have consistency across multiple servers
However, it would also mean storing many many rows of essentially redundant data. But I could have a cronjob which regularly deletes old rows which have no assigned_privileges

As I said, this was a long one - but I would really appreciate your feedback. Is this a good approach? Am I missing something obvious? How would you change this system? many thanks it would allow me

Comment on Optimising a flexibile privilege system

Replies are listed 'Best First'.
Re: Optimising a flexibile privilege system by perrin (Chancellor) on Apr 26, 2006 at 17:40 UTC
Cache::Memcached::Managed provides namespace support. You're correct that it won't be as fast as the best local caches. If you weren't already planning to use memcached, you might try just making a cache table in MySQL instead. It could be a simple HEAP table, with a key for the namespace in addition to they primary key.	[reply]
Re^2: Optimising a flexibile privilege system by clinton (Priest) on Apr 26, 2006 at 18:02 UTC
Thanks for that Perrin - I wasn't aware of the ::Managed version of memcached, and it looks like it could solve some other issues in my system, but probably not for privileges. Privileges may not change that frequently, but when they do change, they can have a far reaching effect, so it makes more sense to take the hit of working out which cached values to expire at the moment that something changes, rather than working out the namespaces right from the beginning. However, I think your suggestion of using a memory table in MySQL for the privilege cache is probably spot on. It'd be fast, centralised and easy to manage, and comes with the indexes I need to expire the changed values intelligently. The only problem I can see is the possibility of two processes interacting, where one caches a value low down in the privilege tree, while the other is changing a value higher up - I'll probably need to work through that with locking... which should be fine because these are all fast simple queries. thanks - heart more at rest now...	[reply]
Re: Optimising a flexibile privilege system by dragonchild (Archbishop) on Apr 26, 2006 at 17:35 UTC
You're getting ahead of yourself. You don't say whether or not you even have a basic version working that takes a second per check. Get something functional and put tests around it so that every optimization can still be checked for correctness. It does no good to have it return in 10 milliseconds if the answer is wrong 10% of the time. My criteria for good software: Does it work? Can someone else come in, make a change, and be reasonably certain no bugs were introduced?	[reply]
Re^2: Optimising a flexibile privilege system by clinton (Priest) on Apr 26, 2006 at 17:51 UTC
I do have a working version but is has the problem of speed for the initial request, and then the changing of a high level intersection of privileges which would affect many cached values. At the moment, if privileges change, I'm just emptying the entire privilege cache, which is not very efficient. So the system works, I just think that it could be better, faster and more scalable, and my question is whether my proposed solution sounds is good : to maintain speed and accuracy at the the expense of table space. The code for checking the inherited permissions is as follows: #=================================== sub inherited_permission { #=================================== my $self = shift; unless (defined $self->{_inh}) { my $object = $self->object; my $object_parent_id = $object->parent_id; my @object_groups = $object->groups; my $own_object_id = $object->id; my @object_ids = ( $own_object_id, @object_groups, $object_parent_id ); my $subject = $self->subject; my $subject_parent_id = $subject->parent_id; my @subject_groups = $subject->groups; my $own_subject_id = $subject->id; my @subject_ids = ( $own_subject_id, @subject_groups, $subject_parent_id ); my $inherited_permission = $self->permission; foreach my $object_id (@object_ids) { foreach my $subject_id (@subject_ids) { next if !($subject_id && $object_id) \|\| ($subject_id == $own_subject_id && $object_id == $own_object_id); my $permission = $self->new({ object => $self->base_class->new($object_id), subject => $self->base_class->new($subject_id) }); $inherited_permission\|=$permission->inherited_permissi +on; } } $self->{_inh} = $inherited_permission & $self->mask; my @saved = delete @{$self}{'_subject','_object'}; $self->save_to_cache; @{$self}{'_subject','_object'}= @saved; } return $self->{_inh}; } [download] (There is some added complexity involved because in my live system, the actual privileges reported depend on the 'status' of each object, so an album of status 'awaiting approval' would grant different privileges to an album of status 'approved'). This is just handled by a series of predefined masks.	[reply] [d/l]
Re: Optimising a flexibile privilege system by Theory (Beadle) on May 05, 2006 at 17:24 UTC
Clinton, Since you asked me via email to comment on this query, with specific reference to Bricolage, let me tell you how it works in Bricolage. First, there are no permissions granted to individual users or to individual objects. It just made the schema too complex. So we only have groups of users and groups of objects that function as subjects and objects in Bricolage. When you load an object from the database, the IDs of the groups of which it is a member are also loaded, in the same query. This list of group IDs is available via a call to get_grp_ids(). To check a permission, an object is passed to the user object's can_do() method, along with the permission in question. So if I want to know if a user has Edit permission to an object, I simply do something like this: `if ($user->can_do($obj, EDIT)) {...}`. The `can_do()` method then compares the object's group IDs against an ACL loaded for the user. The user object is cached in the session, so it only gets loaded once for each user. Whenever permissions change, a flag is set in the system-wide cache and all user sessions automatically reload the user whenever it is set, so that permission changes are always immediate. This is not ideal, but generally expiring all users is more efficient that expiring all objects. The ACL contains a hash mapping object group IDs to their permissions. So all `can_do()` has to do is iterate over this hash, find all of the relevant group IDs that the object is in, and compare the permissions. Now, I wrote this a _long_ time ago, and it's far from ideal. It used to be that each object had to have its group IDs loaded in a separate query, and as you can imagine this made permission checking (and therefore Bricolage) extremely slow. It was _much_ better after all objects started loading their group IDs at the same time that they were loaded. Now, as to your questions, I have the following feedback: Make your objects always load their own ACLs at the same time that they're loaded, so that you don't have to send a separate query for every object for which you want to check the permissions. If you do store calculated permissions in the database, use triggers to keep them updated, rather than a cron job. Then you won't have to think about them and they'll always be up-to-date. Besides, the data isn't really redundant because it's a calculated sum that must be dynamically maintained for every object. It makes sense to cache it like this. Do use memcached or a MySQL table for centralized caching. The performance difference is not worth the bother compared to the convenience of centralized caching for multiple servers. It works great for LiveJournal, it can work for you. Perrin nails this one. HTH, �Theory	[reply] [d/l] [select]