Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Fine-Grained Permissions

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Fine-Grained Permissions


Chronological Thread 
  • From: Dennis Roberts <>
  • To: Chris Hyzer <>, Dennis Roberts <>, "" <>
  • Cc: Sriram Srinivasan <>, Nirav Merchant <>, "" <>
  • Subject: Re: [grouper-users] Fine-Grained Permissions
  • Date: Tue, 24 Nov 2015 19:16:01 +0000

We're using Grouper 2.2.1 hitting MySQL 5.6 with an InnoDB database. We haven't tried upgrading to Grouper 2.2.2 yet, but we can try that if it might help.

Selecting all rows from grouper_perms_role_v returns 8570628 rows. Most of these rows are derived from the single permission assignment of the iplant:de:users:de-users role to the iplant:de:apps:public-apps resource. Selecting all rows from grouper_perms_role_subject_v returns an empty set, which surprised me because I thought we had some permission assignments for individual subjects. I suppose I could be misunderstanding the purpose of this view, though. There are 40 rows in grouper_attr_assign_action_set, 28 rows in grouper_attr_assign_action, and 1 row in grouper_attribute_assign.

Please let me know if you need more information.

Thanks,
Dennis

On Tue, Nov 24, 2015 at 6:03 AM Chris Hyzer <> wrote:

What database do you use?  What grouper version?  How many permission assignments do you have (if you can even query it)?

 

Thanks,

Chris

 

 

From: [mailto:] On Behalf Of Dennis Roberts
Sent: Monday, November 23, 2015 1:59 PM
To:
Cc: Sriram Srinivasan; Nirav Merchant;
Subject: [grouper-users] Fine-Grained Permissions

 

Our organization recently attempted to use Grouper permissions to store permissions user-defined resources, called "apps", in our system. We have more than 9000 users and more than 6000 apps. This is the permissions model that we tried:

 

iplant:de:users:de-users - role containing all users

iplant:de:apps:app-permission-def - permission definition for apps, with actions, read, write and own

iplant:de:apps:<app-id> - permission name for a single app

iplant:de:apps:public-aps - permission name for public apps in general

 

Everyone in the de-users role has read access to iplant:de:apps:public-apps, and every public app inherits its permissions from iplant:de:apps:public-apps. Public apps currently have no permissions assigned directly to them.

 

Each private app has one permission assigned to it that grants the app owner own permission. Private apps do not inherit permissions from iplant:de:apps:private-apps.

 

After setting up the initial permissions, I attempted to query the Grouper Web Services for the permissions associated with a single app. The service call timed out after a few minutes. I also tried querying the grouper_perms_all_v and grouper_perms_role_v views directly using very restrictive queries (on the case of grouper_perms_role_v, a query that that searched for a single role, and permission name. All of the tables in the database were analyzed after I imported these settings and before I ran this query. I canceled the query after several minutes.

 

There was a warning in one of the instructional videos indicating that fine-grained permissions may need to be cached. My suspicion at this point is that our permission requirements are too fine-grained to work at all. Is this the case, or is there something about the permissions model that we're using that's causing this slowness?

 

Thanks,

Dennis

 




Archive powered by MHonArc 2.6.16.

Top of Page