Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As mentioned in #1976696: Polyfill permissions for the Node module, we need to make sure we don't create a huge performance problem with our node access system.
Comment | File | Size | Author |
---|---|---|---|
#10 | group-node_access_performance-2048397-10.patch | 21.78 KB | kristiaanvandeneynde |
Comments
Comment #1
kristiaanvandeneyndeSee #2048393: Workflow for creating nodes in groups
Comment #2
chaby CreditAttribution: chaby commentedRe-open it and set it as critical because I fear that what I have mentionned here is still topical...no ? (having X conditions with query node access altered with grant system for outsiders with a lot of groups he doesn't belong too and groups are from the same group type with allowed ACL for outsider).
Comment #3
kristiaanvandeneyndeIn reply of #1976696-39: Polyfill permissions for the Node module: For every grant you have, there will be a condition added to the query.
You'll get 100 * 5 = 500 view grants or condition for a node_access query.
The only upside to this performance beast is that single node access queries first filter on nid:
Where the query tag filters on the permissions first:
This still sucks major balls though.. :/
I'm going to Google a bit on the consequences of having queries with a lot of conditions.
Comment #4
chaby CreditAttribution: chaby commentedYou are right. These two queries (from node_access() and node_access_view_all_nodes()) are first filtered by nid and op. So we could hope that SQL interpreter will only apply grant conditions on it (gid + realm) after filtering it with indexed nid. So only with grant module group, it should apply it to 3 rows for node_access (realm : bypass, admin, view) and no one for node_access_view_all_nodes.
So as you say, probably the question is : is that support a lot of conditions ?
But I'm curious about the query executed in _node_query_node_access_alter() :
If the original query is a listing of 20 nodes without explicit filter (node type only for e.g), it will fetch nodes tables , filter per type and make a correlated subquery on nid for each rows as limit should be applied later ? And as you know, this subquery could have a lot of conditions...
TBH, I don't know SQL interpreter well and need some explain query with a real-life database test (lot of groups, node access and so on) to check it !
Comment #5
kristiaanvandeneyndeSee #106721: Optimize node access query building
Comment #6
chaby CreditAttribution: chaby commentedHuuum...very interesting ! Using 'IN' clause instead of adding a lot of conditions should improve performance. And maybe having a IN condition with 3000 integer (gid) should not be very dangerous.
However, this patch must be applied to the core to resolve this issue (returning a lot of gids for outsider if permissions are set).
If this issue could not be resolve inside group module itself, a minimum precaution would be to warn end-user about this performance issue (for e.g on the group permission overview, like 'be careful, set outsider permissions could have performance issue with grant system')...no ?
Comment #7
kristiaanvandeneyndeOk so from what I've gathered (hours of research), we could reduce the amount of access records significantly by setting only 4 records per node. All of those records could grant full access to a node. However, because hook_node_grants() provides us with an $op parameter, we would only supply grants for said all-access locks when the user actually has the permission to perform the provided operation.
Currently for node 2, group 2, user 3 this is written:
Proposed change for node 2, group 2, user 3:
Important changes:
That way, if #106721: Optimize node access query building makes it in, we'll get a lot more performance out of the IN() condition.
Alternative solution:
Screw node access and we write gnode_query_node_access_alter() instead.
Comment #8
chaby CreditAttribution: chaby commentedOk, if I understand :
- less node records but with grant hook, it returns grants only if account have permission for this op (by using user access and group_access) ? If true, why not, we 'll loose visibility but decrease number of rows in node_access table on which could be applied a lot of conditions. So it should be a good improvement.
By the way, why not removed also grant 'administer' and 'bypass' ? In hook grant, one could be checked with group_access and other with user_access ? If at least one match for the op, returns appropriate grants, no (so all perm) ? So if I'm not wrong, we could reduce it to 2 rows only :
- however as you say, we will loose the real ownership of the node : is that the author = the group ? Is that meaning a member of the same group could edit a node of another member if he have the permission edit own and not the global perm edit any ?
Is that won't be real nightmare with other grant modules ? (just a question, I have no point of view for now ;-) ).
Comment #9
chaby CreditAttribution: chaby commentedOuch, not really...didn't think about node unpublished...so we needs at least 3 grants (one more for unpublished node allowed for bypass and admin).
Comment #10
kristiaanvandeneyndeOkay, I've thoroughly reworked the node access system for Group Node and came up with this:
Please review, the todo is about the fact that I still hardcodedly assume the node table is aliased with 'n'.
Comment #11
kristiaanvandeneyndeshould of course be
My bad
Comment #12
kristiaanvandeneyndeRight, I'm committing this. We can always revert to node access if necessary.