ACL performance

Hi all

Suppose we have a folder with a large number of documents, that is continuously updated with other documents.

We set permission on the folder so everyone can see the folder, but set permission on every document so that only specific users can see the document inside the folder.

I have 2 questions about the above scenario:

  1. How much will this impact the performance of Nuxeo
  2. Is there a limit on the number of documents with specific ACL on each folder? (for example sharepoint has a limit of 50 000 for this use case. See here security scope)
0 votes

2 answers

1436 views

ANSWER



Having a large number of documents in a folder is not a problem, although as pointed out you have to adapt the UI as page-based navigation isn't user-friendly in that case.

Having different ACLs on each of those documents is not a problem either, although of course some ACL-based tables will grow bigger as a result.

As asked in a comment above, when you list a folder at any time a filter is done using the aforementioned tables but again that's normal behavior.

0 votes



And of course the best way to make sure in your actual situation is to run your own benchmark.
10/14/2013


Hi,

Maybe you can read this : http://doc.nuxeo.com/x/uAAt

and this : http://doc.nuxeo.com/x/xgwz (part “Capacity and Sizing”)

IMHO :

  • set permissions on folders (default) or documents (see http://doc.nuxeo.com/x/xgQz) : it doesn't change the perf
  • there is no limit for number of childs on a document (cf “you can have folders with several thousands of child documents” on the first link of my answer) -> but it could be not user-friendly if your users see 6382 pages of docs in a folder
  • if you set a very large number of ACL on the same document (folder or file) then adapt the size for the pre-computed ACLs (search about “aclOptimizations” and “readAclMaxSize” … it can be configured in your nuxeo.conf file) -> again, think it's not user-friendly to manage a rights page with 394 ACL entries (furthermore, there is no pagination on rigths management page)
0 votes



I have a client with > 5000 docs per folder - they wanted a very flat structure for files. It works for them because I created a custom search capability that allows them to easily narrow to documents of interest (by doc type and custom metadata fields). Without an easy way for information consumer to find content having thousands of documents in a single container might not be the best strategy.

I also have custom programmatic security for individual documents and I haven't seen any negative performance issues (assuming of course you have sufficient hardware and have tuned your database config).

10/13/2013

thank you both very much for the answers

i don't think we will have a large number of ACLs per document , but we may have a large number of documents, more than 5000 for sure. I was wondering about the performance also for another reason, say i have a folder with 10000 docs, and have set ACLs on each of them so only the authorized users can see certain docs.

When the user opens the folder, there certainly happens a calculation of permission in order to show the user the docs he has permission on. Could this impact the systems performance?

10/14/2013

Be confident. And search about Nuxeo ACL optimizations (I didn't find any links to that, but you can check the aclr table in your Nuxeo database for example)

If you're still afraid. Use JMeter, Funkload, or any other tool to objectively validate that Nuxeo can be performant in your case.

Samples of Nuxeo's benchmarks : http://public.dev.nuxeo.com/~ben/bench-10m/ http://public.dev.nuxeo.com/~ben/bench-navigation-3m/

10/14/2013