We have many searches which as result only require only the DNs of the search result. With delegative addministration these searches must now search for every attribute of the result, search for every guardianRole of these objects and must transform that whole information into UDM REST API representation to send it to the "Guardian" authorization backend. This is a huge bottle neck e.g. one case: when opening the DetailPage of any object the syntax choices of objects just require the selectable DNs/entries. Our current only supported/available condition is based on the position of the object, not really full ABAC on the attributes, therefore we can just send the position, DN and object-type of the object to the authorization engine, in this case.
The performance improvements have been done. More optimization is possible for single syntax classes inheriting from UDM_Objects, which unnecessarily use `use_objects = True` or where the UDM modules don't support `lookup_filter()`: See https://git.knut.univention.de/univention/dev/ucs/-/issues/3192 ``` >>> [name for name, syn in inspect.getmembers(univention.admin.syntax, lambda m: inspect.isclass(m) and issubclass(m, univention.admin.syntax.UDM_Objects)) if syn.use_objects] ['HostDN', 'IComputer_FQDN', 'LDAP_Server', 'MailHomeServer', 'NewPortalAnnouncements', 'NewPortalCategories', 'NewPortalCategoryEntries', 'NewPortalEntries', 'NewPortalFolders', 'PrinterNames', 'PrinterProducerList', 'Printers', 'Service', 'ServiceMail', 'ServicePrint', 'ServicePrint_FQDN', 'UDM_Objects', 'UMC_OperationSet', 'UserMailAddress', 'Windows_Server', 'dhcpService', 'emailAddressValidDomain', 'monitoringAlerts', 'monitoringEnabledHosts', 'nagiosHostsEnabledDn', 'nagiosServiceDn', 'network', 'primaryEmailAddressValidDomain'] ``` ``` >>> {mod.module for mod in univention.admin.modules.modules.values() if not hasattr(mod, 'lookup_filter')} {'ms/gpwl-wireless-blob', 'ms/gpipsec-filter', 'container/msgpo', 'ms/gpipsec-nfa', 'users/passwd', 'dns/dns', 'blocklists/all', 'settings/mswmifilter', 'ms/gpsi-category-registration', 'computers/ipmanagedclient', 'ms/gpipsec-isakmp-policy', 'ms/gpwl-wired', 'mail/mail', 'dhcp/dhcp', 'portals/all', 'settings/msprintconnectionpolicy', 'ms/gpsi-package-registration', 'shares/print', 'settings/settings', 'ms/gpipsec-policy', 'ms/domainpolicy', 'ms/gpsi-class-store', 'computers/trustaccount', 'ms/gpwl-wireless', 'ms/gpipsec-negotiation-policy', 'policies/policy', 'computers/computer', 'nagios/nagios'} ``` univention-directory-manager-modules.yaml 29516f7c1eff | perf(udm): improve performance of searches when searching for only DNs univention-directory-manager-modules (17.3.6) 1c03008771bf | refactor(udm-syntax): refactor UDM_Objects syntax branches 29516f7c1eff | perf(udm): improve performance of searches when searching for only DNs
OK - advisory OK - univention-directory-manager-modules OK - tests
<https://errata.software-univention.de/#/?erratum=5.2x282>