Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lxd: Improves efficiency of operation cancel with permission checker. #13156

Merged
merged 1 commit into from
Mar 15, 2024
Merged

lxd: Improves efficiency of operation cancel with permission checker. #13156

merged 1 commit into from
Mar 15, 2024

Conversation

markylaing
Copy link
Contributor

Previously, each url was checked with (Authorizer).CheckPermission. With the fine-grained authorization driver this may use more database calls than is necessary. This commit refactors the permission check to use a permission checker instead, if there are multiple entities of a given type. (See similar logic in lxd/project.FilterUsedBy).

Partially addresses #12461 - see #12313 (comment)

@markylaing markylaing self-assigned this Mar 14, 2024
@markylaing markylaing mentioned this pull request Mar 14, 2024
Closed
18 tasks
roosterfish
roosterfish requested changes Mar 15, 2024
View reviewed changes
lxd/operations.go Show resolved Hide resolved
@markylaing
lxd: Improves efficiency of operation cancel with permission checker.
767b342 
Previously, each url was checked with `(Authorizer).CheckPermission`.
With the fine-grained authorization driver this may use more database
calls than is necessary. This commit refactors the permission check to
use a permission checker instead, if there are multiple entities of a
given type. (See similar logic in `lxd/project.FilterUsedBy`).

Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing markylaing force-pushed the operation-cancel-permission-check branch from 102ad80 to 767b342 Compare March 15, 2024 08:31
tomponline
tomponline reviewed Mar 15, 2024
View reviewed changes
lxd/operations.go
@@ -257,14 +257,44 @@ func operationDelete(d *Daemon, r *http.Request) response.Response {
projectName = api.ProjectDefaultName
}

// Separate resources by entity type. If there are multiple entries of a particular entity type we can reduce
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we standardise this pattern into a helper function we can call in each appropriate place?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is similar to project.FilterUsedBy except that this one returns an error if any are unauthorized - rather than filtering them out.

I suppose here I could write a method FilterByEntitlement, then FilterUsedBy would call it with can_view and this function would call it and check if the length of the input list is equal to the length of the output list. I think that might be less clear though. Not sure 🤔

@tomponline tomponline merged commit 27eb3f2 into canonical:main Mar 15, 2024
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roosterfish roosterfish roosterfish approved these changes

@tomponline tomponline tomponline approved these changes

Assignees

@markylaing markylaing

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markylaing @tomponline @roosterfish