Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-734

Slow policy evaluation with a large number of policy sets

    Details

    • Type: Enhancement
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: picketbox_xacml_2.0.8.Final
    • Component/s: None
    • Labels:
      None
    • Environment:

      RedHat Linux 6.0, WebSphere Application Server 7.0

      Description

      We suffer a performance problem in the evaluation of large XACML configuration. We use JBoss (Sun?) XACML library to process a large number of policy sets (over 2400 policy set files) using "deny-override" combining algorithm.

      Initially the number of policies was relatively small, but it increased with time, leading to performance degradation, with 100% CPU (single)core consumption.

      After running a code sample under Java profiler, we found that 99% of time is spent in method PolicySetFinderModule.findPolicy(URI, int, VersionConstraints, PolicyMetaData).

      This method walks through a list of AbstractPolicy objects, comparing an ID of each object with it's first argument. In our configuration the number of such objects is relatively large, leading to slow execution with high CPU consumption.

      We suggest replacing the list of AbstractPolicy with a HashMap. Our experiments show that total evaluation time reduces ~50 times with a HashMap over List implementation.

        Gliffy Diagrams

          Activity

          Hide
          zinal Maxim Zinal added a comment -

          A small patch fixing performance problem

          Show
          zinal Maxim Zinal added a comment - A small patch fixing performance problem
          Hide
          anil.saldhana Anil Saldhana added a comment -

          Maxim Zinal please feel free to fork https://github.com/picketbox/security-xacml and submit a pull request.

          Show
          anil.saldhana Anil Saldhana added a comment - Maxim Zinal please feel free to fork https://github.com/picketbox/security-xacml and submit a pull request.
          Hide
          zinal Maxim Zinal added a comment -

          Created a pull request. How strange and ugly that git is, uh...
          Poor Linux developers.

          Show
          zinal Maxim Zinal added a comment - Created a pull request. How strange and ugly that git is, uh... Poor Linux developers.
          Hide
          anil.saldhana Anil Saldhana added a comment -

          Maxim Zinal I like github because contributions such as yours is easier to merge into the project. Thanks a lot for the contribution.

          Show
          anil.saldhana Anil Saldhana added a comment - Maxim Zinal I like github because contributions such as yours is easier to merge into the project. Thanks a lot for the contribution.

            People

            • Assignee:
              anil.saldhana Anil Saldhana
              Reporter:
              zinal Maxim Zinal
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development