Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[JENKINS-58399] Performance: Avoid finding implying permissions on each `hasPermission()` call #83
Jun 25, 2019
AbhyudayaSharma left a comment
The cache needed to be invalidated when the dangerous permissions changed. I've made some changes to allow us to respond to changes in DangerousPermissionHandlingMode.
oleg-nenashev left a comment
i do not see anything wrong with this pull request. This is a pretty complicated area, and there is a high risk of regressions which may cause security issues. My suggestion would be to make this caching optional and configurable in Role Strategy settings
https://github.com/jenkinsci/extended-read-permission-plugin/blob/master/src/main/java/hudson/plugins/extendedread/PluginImpl.java#L32 for example of permissions management in runtime. If a system groovy script disables permissions in such way, caching will not reflect it.
w.r.t. caching. It can be either opt-in or opt-out. CC @jenkinsci/gsoc2019-role-strategy
Also notes for reviewers. https://javadoc.jenkins.io/hudson/security/Permission.html is final, and hence permission implementations cannot define the
changed the title
Avoid finding implying permissions on each `hasPermission` call
Jul 9, 2019
jeffret-b left a comment
It's basically trading off memory space and a little bit of complexity for performance, which is what a cache does. There's always a risk of problems with increased complexity. The performance improvement is good value for the tradeoff, though. I can't find any concerns.
I've built the PR and run the autotests, but haven't done any further testing or confirmation of performance gains.