[Zope-dev] Domain Login Slowness at certain location
Chris McDonough
chrism@zope.com
18 Jun 2003 17:27:54 -0400
The only real solution is to create a different user folder
implementation that doesn't handle domain auth so stupidly. For
instance, designate a user as a "domain user" and keep users like this
around in a different data structure so you don't need to iterate over
all users to find one that matches the domain spec.
On Wed, 2003-06-18 at 17:07, Andrew R. Halko wrote:
>
> Any other suggestions on how to implement domain based access? Or is
> the only solution to make users create accounts and login. For a large
> organization, this is tough.
>
> Andrew R. Halko
>
> -----Original Message-----
> From: Chris McDonough [mailto:chrism@zope.com]
> Sent: Wednesday, June 18, 2003 5:03 PM
> To: Andrew R. Halko
> Cc: plone-users@lists.sourceforge.net; zope-dev@zope.org
> Subject: Re: [Zope-dev] Domain Login Slowness at certain location
>
> On Wed, 2003-06-18 at 16:07, Andrew R. Halko wrote:
> >
> > Hello All,
> >
> > I set up an Intranet that is based on visitors IP Address. I made a
> > tutorial at Plone.org
> > (http://plone.org/documentation/howto/HowToDomainIntranet). Now my
> > problem is that I am experiencing a lot of slowness for someone that
> is
> > within the domain, but it is only within this one location. So, if I
> > set the site to check my address and log me in, there is not slowness.
> > But if I change the site to log people in automatically if they have
> the
> > ip address for the gateway at the location, it is very very slow
> loading
> > for all of them.
> >
> > Does anyone know the processes that the domain attribute goes through
> to
> > log people in? Or maybe have an idea what could cause it? I am
> trying
> > to diagnose and I am not sure what could cause it. It is the mixture
> of
> > the automatic login and firewall or something else at the location.
> Any
> > ideas? Thanks
>
> The code to support this "domain auth" feature is perhaps the stupidest
> part of Zope.access control. I am disappointed that it is still
> supported. Here is the code to support this mode of authentication,
> ripped directly from the AccessControl.User module:
>
> # we need to continue to support this silly mode
> # where if there is no auth info, but if a user in our
> # database has no password and he has domain restrictions,
> # return him as the authorized user.
> if not auth:
> if self._domain_auth_mode:
> for user in self.getUsers():
> if user.getDomains():
> if self.authenticate(user.getUserName(), '',
> request):
> if self.authorize(user, a, c, n, v, roles):
> return user.__of__(self)
>
>
> So this means, in essence, on each request, *for each user in the
> system*, check if he he has domain restrictions, if so is able to get in
> to the site with a blank password. For a site with many users,
> iterating over each user, checking for his domain restrictions, and so
> on can take a long time. And note that this doesn't just happen on one
> request, it happens on *every* request. Worse, it doesn't just happen
> for requests that happen to come from the domain upon which you've
> placed domain restrictions, it happens for *all* requests except the
> ones that pass in auth credentials via HTTP (from people who have
> already presented a valid username/password). This is almost certainly
> the cause of the slowness you see.
>
> I have been trying to remove this feature for quite some time. I can
> see its utility but the implementation is just way too stupid to be used
> for anything but tiny user databases.
>
> One possible hack that might make things much faster *for the people in
> the domain you're trying to allow access from* is to make sure that the
> *first* user returned by getUsers is the user that has the domain
> restrictions and blank password. A simple way to do this is to name
> that user "AAAA User" (because the default user folder's getUsers sorts
> the users by the lexical order of their names). This way the loop above
> will at most be gone through once for browsers in the domains you
> mention in that user's domain spec.
>
> This will not be the case for anonymous users. They will go through the
> whole user database for every request and only fall off the end of the
> userlist once they've tested every user. It will thus be just as slow
> for them.
>
> HTH,
>
> - C
>
>
>
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev@zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope )