[Zope-dev] Domain Login Slowness at certain location

Andrew R. Halko ahalko@insivia.com
Wed, 18 Jun 2003 17:38:56 -0400


Sorry for not understanding and thank you for all the help...

How do you create another user folder?

What do you mean by "keep users like this
around in a different data structure"?


I currently am only using one user that is called "Intranet User", is
there an easy way to setup so that it just looks at that Users domain
and not any other.  I am not good enough with Zope to understand a lot
of these concepts.

Andrew R. Halko

-----Original Message-----
From: Chris McDonough [mailto:chrism@zope.com] 
Sent: Wednesday, June 18, 2003 5:28 PM
To: Andrew R. Halko
Cc: plone-users@lists.sourceforge.net; zope-dev@zope.org
Subject: RE: [Zope-dev] Domain Login Slowness at certain location

The only real solution is to create a different user folder
implementation that doesn't handle domain auth so stupidly.  For
instance, designate a user as a "domain user" and keep users like this
around in a different data structure so you don't need to iterate over
all users to find one that matches the domain spec.

On Wed, 2003-06-18 at 17:07, Andrew R. Halko wrote:

> 
> Any other suggestions on how to implement domain based access?  Or is
> the only solution to make users create accounts and login.  For a
large
> organization, this is tough.
> 
> Andrew R. Halko
> 
> -----Original Message-----
> From: Chris McDonough [mailto:chrism@zope.com] 
> Sent: Wednesday, June 18, 2003 5:03 PM
> To: Andrew R. Halko
> Cc: plone-users@lists.sourceforge.net; zope-dev@zope.org
> Subject: Re: [Zope-dev] Domain Login Slowness at certain location
> 
> On Wed, 2003-06-18 at 16:07, Andrew R. Halko wrote:
> > 
> > Hello All,
> > 
> > I set up an Intranet that is based on visitors IP Address.  I made a
> > tutorial at Plone.org
> > (http://plone.org/documentation/howto/HowToDomainIntranet).  Now my
> > problem is that I am experiencing a lot of slowness for someone that
> is
> > within the domain, but it is only within this one location.  So, if
I
> > set the site to check my address and log me in, there is not
slowness.
> > But if I change the site to log people in automatically if they have
> the
> > ip address for the gateway at the location, it is very very slow
> loading
> > for all of them.
> > 
> > Does anyone know the processes that the domain attribute goes
through
> to
> > log people in?  Or maybe have an idea what could cause it?  I am
> trying
> > to diagnose and I am not sure what could cause it.  It is the
mixture
> of
> > the automatic login and firewall or something else at the location.
> Any
> > ideas?  Thanks
> 
> The code to support this "domain auth" feature is perhaps the
stupidest
> part of Zope.access control.  I am disappointed that it is still
> supported.  Here is the code to support this mode of authentication,
> ripped directly from the AccessControl.User module:
> 
>         # we need to continue to support this silly mode
>         # where if there is no auth info, but if a user in our
>         # database has no password and he has domain restrictions,
>         # return him as the authorized user.
>         if not auth:
>             if self._domain_auth_mode:
>                 for user in self.getUsers():
>                     if user.getDomains():
>                         if self.authenticate(user.getUserName(), '',
> request):
>                             if self.authorize(user, a, c, n, v,
roles):
>                                 return user.__of__(self)
> 
> 
> So this means, in essence, on each request, *for each user in the
> system*, check if he he has domain restrictions, if so is able to get
in
> to the site with a blank password.  For a site with many users,
> iterating over each user, checking for his domain restrictions, and so
> on can take a long time.  And note that this doesn't just happen on
one
> request, it happens on *every* request.  Worse, it doesn't just happen
> for requests that happen to come from the domain upon which you've
> placed domain restrictions, it happens for *all* requests except the
> ones that pass in auth credentials via HTTP (from people who have
> already presented a valid username/password).  This is almost
certainly
> the cause of the slowness you see.
> 
> I have been trying to remove this feature for quite some time.  I can
> see its utility but the implementation is just way too stupid to be
used
> for anything but tiny user databases.
> 
> One possible hack that might make things much faster *for the people
in
> the domain you're trying to allow access from* is to make sure that
the
> *first* user returned by getUsers is the user that has the domain
> restrictions and blank password.  A simple way to do this is to name
> that user "AAAA User" (because the default user folder's getUsers
sorts
> the users by the lexical order of their names).  This way the loop
above
> will at most be gone through once for browsers in the domains you
> mention in that user's domain spec.
> 
> This will not be the case for anonymous users.  They will go through
the
> whole user database for every request and only fall off the end of the
> userlist once they've tested every user.  It will thus be just as slow
> for them.
> 
> HTH,
> 
> - C
> 
> 
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope )