Access Control in MapServer
Daniel Morissette
dmorissette at MAPGEARS.COM
Tue Jan 23 13:48:03 EST 2007
Sean Gillies wrote:
>
> Daniel, I finally took a close look at DACS, and it doesn't seem so bad.
> It is middleware and has an Apache module. If you really have to
> implement super fine grain permissions into feature access and
> rendering, it might be a decent choice, but are you not worried about
> the performance hit of checking permission for every feature drawn on a
> map? Thousands of calls to the access control API for every map drawn?
> Decent performance is going to mandate pre-processed shapefiles or
> PostGIS views, so attribute-level run-time access control seems less
> useful the more I think about it.
>
I agree with you 100% on the possible performance hit if this is not
used properly. This can be lightweight if only used to filter layers or
attributes, but can become quite heavy if a filter is applied to every
shape of a large resultset.
However this can still be useful in several cases, for instance a WFS
GetFeature call which would normally return a set of 100 shapes which is
filtered down to about 20 shapes by a DACS rule. Even if the source
dataset contains thousands of shapes, we need to place the DACS hooks in
MapServer so that they are evaluated only after the initial 100 shapes
were extracted from the layer. This way the filter is evaluated only 100
times which is not quite as bad.
Anyway, you got a very good point that performance can be quite bad if
this is misused and applied to thousands of shapes per map drawn.
BTW, an update on this, we have decided to put our proposal plans on
hold, mainly because of bad timing, but the idea has not been completely
abandoned so it's good to continue to have this discussion.
Daniel
--
Daniel Morissette
http://www.mapgears.com/
More information about the mapserver-dev
mailing list