As we continue to use permission strings/right assignments to improve performance to OpenLMIS v3 (see discussion https://groups.google.com/forum/#!topic/openlmis-dev/wKqgpJ2RgBA for background), we have designed a strategy to update right assignments when the underlying role-based access control (RBAC) structure gets updated in the system.
We have decided to drop and re-generate all right assignments whenever the RBAC structure gets updated. There are a number of reasons for this:
- On the performance test server (https://perftest.openlmis.org ), it takes only a few seconds to re-generate the entire table (about 20,000 rows). Even with a bigger table (such as the one Malawi has), the task should be done in the order of seconds, not minutes or hours.
- Updating the RBAC structure would be done seldomly (only when updating facilities, requisition groups, supervisory nodes, and roles).
- Note: right assignments are updated when a user and corresponding role assignments are updated, but this is done using a separate mechanism that does not re-generate all right assignments.
- The right assignment re-generation is done asynchronously, in the background, and does not block the RBAC update.
- Most users would not see a difference to their permissions (since they are cached in the UI), so they would need to log out and log back in to see updates, which by then the right assignments would be re-generated.
- The alternative, to determine what has changed in the RBAC structure, and calculate which right assignments need to be added/removed, would require complex logic.
Some future considerations in this design:
- Currently, the design does not check if the update code actually affects the RBAC structure (ex: updating a facility triggers a right assignment re-generate, but it should only trigger if a facility’s supported programs are updated, not its details); we could add smarter checking to only trigger when the RBAC structure has been affected.
- If there are multiple right assignment re-generate jobs that are waiting, to be smarter about collapsing/discarding jobs that are unnecessary.
You can see this work and its code commits in OLMIS-3022.
If you have feedback, please feel free to respond.
There are 10 kinds of people in this world; those who understand binary, and those who don’t.
Chongsun Ahn | firstname.lastname@example.org
Software Development Engineer
Village****Reach* ** Starting at the Last Mile*
2900 Eastlake Ave. E, Suite 230, Seattle, WA 98102, USA
DIRECT: 1.206.512.1536 **CELL: **1.206.910.0973 FAX: 1.206.860.6972