Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20474

getACL methods are too expensive when current ACL is SYSTEM

    Details

    • Similar Issues:

      Description

      There are many occasions when a long block of code is running as ACL.SYSTEM (generally anything that is not handling a HTTP or CLI request), yet permission checks (done as part of e.g. Jenkins.getAllItems) call many getACL methods on model objects, which in turn ask the AuthorizationStrategy to make a new ACL instance, which can be rather expensive in some cases, and then ask that implementation about SYSTEM, which may actually be a shortcut in the strategy but by that point a lot of work has already been doneā€”all wasted, since SYSTEM must have full permissions regardless of strategy.

      It would be better for core should ensure that Jenkins.getACL and other getACL methods calling Jenkins.getInstance().getAuthorizationStrategy().getACL(this) (AbstractItem, Computer, Job, Node, User, Cloud, View) return a proxy ACL whose hasPermission checks for SYSTEM immediately (returning true in this case), only consulting the AuthorizationStrategy for another Authentication. (The proxy ACL could even be a cached part of the model object, avoiding all object construction in this case.)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: