--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Which permissions are you specifically concerned about here?
There is at least one corner case in NoteDb where we do actually have to check permissions during reindex. Since approvals in NoteDb are not copied forward in storage at patch set creation time, we run the ApprovalCopier via ChangeData#currentApprovals. ApprovalCopier (currently) uses permissions to truncate approvals to the allowed range for that user.
For that case we probably don't actually care what the user is in the ChangeControl we pass to ApprovalCopier#getForPatchSet, since it turns around and calls controlFor(otherUser).
But passing InternalUser won't actually avoid most of the ACL evaluations.
On Tue, Sep 6, 2016 at 6:24 PM, Dave Borowitz <dbor...@google.com> wrote:Which permissions are you specifically concerned about here?Specifically, I have seen that computing mergeability checks Read permission on the target branch.The code reaches RefControl.isVisible [1] and proceeds to canPerform(Permission.READ)because getUser().isInternalUser() returns false.I haven't yet checked if and what other permissions may also be evaluated.
In general my concern was about any permission evaluation during indexing... IMO we don't needit and if we cannot easily avoid calling code which does permission evaluation then using an InternalUser isthe intended way to avoid that evaluation, right?There is at least one corner case in NoteDb where we do actually have to check permissions during reindex. Since approvals in NoteDb are not copied forward in storage at patch set creation time, we run the ApprovalCopier via ChangeData#currentApprovals. ApprovalCopier (currently) uses permissions to truncate approvals to the allowed range for that user.For that case we probably don't actually care what the user is in the ChangeControl we pass to ApprovalCopier#getForPatchSet, since it turns around and calls controlFor(otherUser).I understand. However, this is a completely different thing... it doesn't depend on the current user and itdoes some permission evaluation for a user who posted an approval on that change, not for the current user.Conceptually this is not really a part of reindexing but more a lazy-update, if I understand it correctly.
But passing InternalUser won't actually avoid most of the ACL evaluations.It would avoid ACL evaluation at least in the example [1].Any better ideas/proposals?
On Tue, Sep 6, 2016 at 4:28 PM, Saša Živkov <ziv...@gmail.com> wrote:On Tue, Sep 6, 2016 at 6:24 PM, Dave Borowitz <dbor...@google.com> wrote:Which permissions are you specifically concerned about here?Specifically, I have seen that computing mergeability checks Read permission on the target branch.The code reaches RefControl.isVisible [1] and proceeds to canPerform(Permission.READ)because getUser().isInternalUser() returns false.I haven't yet checked if and what other permissions may also be evaluated.Good point, that would be nice to short-circuit.
In general my concern was about any permission evaluation during indexing... IMO we don't needit and if we cannot easily avoid calling code which does permission evaluation then using an InternalUser isthe intended way to avoid that evaluation, right?There is at least one corner case in NoteDb where we do actually have to check permissions during reindex. Since approvals in NoteDb are not copied forward in storage at patch set creation time, we run the ApprovalCopier via ChangeData#currentApprovals. ApprovalCopier (currently) uses permissions to truncate approvals to the allowed range for that user.For that case we probably don't actually care what the user is in the ChangeControl we pass to ApprovalCopier#getForPatchSet, since it turns around and calls controlFor(otherUser).I understand. However, this is a completely different thing... it doesn't depend on the current user and itdoes some permission evaluation for a user who posted an approval on that change, not for the current user.Conceptually this is not really a part of reindexing but more a lazy-update, if I understand it correctly.You're correct that it's for a user who voted on a label, but it really does have to do it during reindexing.
In other words yes it's a lazy lookup but we do the lazy lookup when indexing a change.ChangeField#LABEL looks up labels on the current patch set to store them in the index.LABEL#get-> ChangeData#currentApprovals-> ApprovalsUtil#byPatchSet-> ApprovalCopier#getForPatchSet-> LabelNormalizer#normalize-> LabelNormalizer#applyRightFloorBut passing InternalUser won't actually avoid most of the ACL evaluations.It would avoid ACL evaluation at least in the example [1].Any better ideas/proposals?I do not have any ideas about how to avoid calling LabelNormalizer#applyRightFloor in the index path, sorry :(
We are discussing two topics here:1. (unnecessary) permission checks during (re)indexing against the current user2. normalization of the approval values which is done during (re)indexing and which also involves permission checksOn Tue, Sep 6, 2016 at 10:39 PM, Dave Borowitz <dbor...@google.com> wrote:On Tue, Sep 6, 2016 at 4:28 PM, Saša Živkov <ziv...@gmail.com> wrote:On Tue, Sep 6, 2016 at 6:24 PM, Dave Borowitz <dbor...@google.com> wrote:Which permissions are you specifically concerned about here?Specifically, I have seen that computing mergeability checks Read permission on the target branch.The code reaches RefControl.isVisible [1] and proceeds to canPerform(Permission.READ)because getUser().isInternalUser() returns false.I haven't yet checked if and what other permissions may also be evaluated.Good point, that would be nice to short-circuit.With the current logic of evaluating permission against the change owner we can evenend-up into failing to (re)index a change. This can happen in a setup where projectsare not generally visible to all users but only to project owners and when a change ownerleaves the team and looses Read permission on the project. In that case the visibility checkreturns false.NOTE: I haven't verified the above assumption yet.
We are discussing two topics here:1. (unnecessary) permission checks during (re)indexing against the current user2. normalization of the approval values which is done during (re)indexing and which also involves permission checksOn Tue, Sep 6, 2016 at 10:39 PM, Dave Borowitz <dbor...@google.com> wrote:On Tue, Sep 6, 2016 at 4:28 PM, Saša Živkov <ziv...@gmail.com> wrote:On Tue, Sep 6, 2016 at 6:24 PM, Dave Borowitz <dbor...@google.com> wrote:Which permissions are you specifically concerned about here?Specifically, I have seen that computing mergeability checks Read permission on the target branch.The code reaches RefControl.isVisible [1] and proceeds to canPerform(Permission.READ)because getUser().isInternalUser() returns false.I haven't yet checked if and what other permissions may also be evaluated.Good point, that would be nice to short-circuit.With the current logic of evaluating permission against the change owner we can evenend-up into failing to (re)index a change. This can happen in a setup where projectsare not generally visible to all users but only to project owners and when a change ownerleaves the team and looses Read permission on the project. In that case the visibility checkreturns false.NOTE: I haven't verified the above assumption yet.Therefore, I think we must use InternalUser when reindexing.
In general my concern was about any permission evaluation during indexing... IMO we don't needit and if we cannot easily avoid calling code which does permission evaluation then using an InternalUser isthe intended way to avoid that evaluation, right?There is at least one corner case in NoteDb where we do actually have to check permissions during reindex. Since approvals in NoteDb are not copied forward in storage at patch set creation time, we run the ApprovalCopier via ChangeData#currentApprovals. ApprovalCopier (currently) uses permissions to truncate approvals to the allowed range for that user.For that case we probably don't actually care what the user is in the ChangeControl we pass to ApprovalCopier#getForPatchSet, since it turns around and calls controlFor(otherUser).I understand. However, this is a completely different thing... it doesn't depend on the current user and itdoes some permission evaluation for a user who posted an approval on that change, not for the current user.Conceptually this is not really a part of reindexing but more a lazy-update, if I understand it correctly.You're correct that it's for a user who voted on a label, but it really does have to do it during reindexing.Does it also has to be done when Gerrit is stopped and we do offline (re)indexing?This seems not necessary if the approvals in NoteDb were already copied?
In other words yes it's a lazy lookup but we do the lazy lookup when indexing a change.ChangeField#LABEL looks up labels on the current patch set to store them in the index.LABEL#get-> ChangeData#currentApprovals-> ApprovalsUtil#byPatchSet-> ApprovalCopier#getForPatchSet-> LabelNormalizer#normalize-> LabelNormalizer#applyRightFloorBut passing InternalUser won't actually avoid most of the ACL evaluations.It would avoid ACL evaluation at least in the example [1].Any better ideas/proposals?I do not have any ideas about how to avoid calling LabelNormalizer#applyRightFloor in the index path, sorry :(I am right now more concerned about topic 1 and I think we agree that using InternalUser instead of the change owneras the current user when reindexing a change is a possible bug fix.Btw, another issue with evaluating permissions during offline reindexing is that it can producetons of "Unkown GroupMembership for UUID: user%3A..." warnings if a group backend is contributedby a plugin (singleusergroup plugin) and a permission is assigned to a group from that backend ("user/joe" for the singleusergroup plugin).There will be one such warning for each change from that project.
In other words yes it's a lazy lookup but we do the lazy lookup when indexing a change.ChangeField#LABEL looks up labels on the current patch set to store them in the index.LABEL#get-> ChangeData#currentApprovals-> ApprovalsUtil#byPatchSet-> ApprovalCopier#getForPatchSet-> LabelNormalizer#normalize-> LabelNormalizer#applyRightFloorBut passing InternalUser won't actually avoid most of the ACL evaluations.It would avoid ACL evaluation at least in the example [1].Any better ideas/proposals?I do not have any ideas about how to avoid calling LabelNormalizer#applyRightFloor in the index path, sorry :(I am right now more concerned about topic 1 and I think we agree that using InternalUser instead of the change owneras the current user when reindexing a change is a possible bug fix.Btw, another issue with evaluating permissions during offline reindexing is that it can producetons of "Unkown GroupMembership for UUID: user%3A..." warnings if a group backend is contributedby a plugin (singleusergroup plugin) and a permission is assigned to a group from that backend ("user/joe" for the singleusergroup plugin).There will be one such warning for each change from that project.Ouch, getting rid of those warnings will be nice.Permissions issues aside, I wonder if it's a problem in general that we don't load plugins in Reindex (or other programs).
For example, should we call ChangeIndexedListeners from plugins?
Maybe an option to choose which plugins to load is the way to go?
On Thu, Sep 8, 2016 at 11:28 AM, Saša Živkov <ziv...@gmail.com> wrote:On Thu, Sep 8, 2016 at 5:15 PM, Dave Borowitz <dbor...@google.com> wrote:I talked about this with Jonathan a bit offline, and we think it might be ok to have ApprovalCopier/LabelNormalizer not bother trying to squash votes according to the current permission range. This is a behavior change, but we might be ok with it.