« 返回到 Development

Permission Algorithms

Liferay Portal includes a pretty flexible permission system based on the concepts of roles, permissions and resources. This system provides several different implementations for the algorithm used to check whether a given user has permissions to perform certain action. This article describes each of the available algorithms and how to choose which one is most appropriate for your case.

RBAC based algorithms #

RBAC stands for Role Based Access Control and is a permissions system in which permissions are always assigned through roles.

Liferay's RBAC implementation debuted in Liferay Portal 5.1, as a way to improve the existing system, specially in terms of ease of use and performance. There are two algorithms for this implementation:

  • Algorithm 5: was introduced in Liferay Portal 5.1 and is the default algorithm since then.
  • Algorithm 6: currently http://issues.liferay.com/browse/LPS-2793 in development and will debut in Liferay Portal 6.0. Algorithm 6 is an improved version of Algorithm 5. It provides the exact same functionality, but uses bitwise operations to reduce database size by 66%

Legacy algorithms #

The legacy algorithms were used by all installations prior to Liferay Portal 5.1. They all offer the same functionality and provide more flexibility to assign permissions to users. In particular it's possible to assign permissions not only through roles, but also directly to organizations, communities and individual users.

This flexibility has a cost in performance and UI complexity but is needed in some scenarios. There are four different legacy algorithms:

  • Algorithm 1
  • Algorithm 2
  • Algorithm 3
  • Algorithm 4

These algorithms vary in aspects such as making fewer complex SQL queries vs more simple SQL queries. There is no hard rule for choosing one or the other. The most appropriate will be determined by factors such as the latency of the access to the db, the ability to optimize queries of your database or the number of users, organizations, ... of your installation. It is recommended to perform real load tests to determine which algorithm is best for your case.

Questions & Answers #

Is it possible to switch from one algorithm to another? #

In general the answer is no. But there are some exceptions:

  • You can safely switch algorithms 1 to 4 at any point in time
  • A converter is being developed to change from algorithms 1 to 4 towards algorithm 5.

How do I select the algorithm I want to use? #

Through a configuration property of portal.properties:

    permissions.user.check.algorithm=5
0 附件
47918 查看
平均 (1 投票)
满分为 5,平均得分为 4.0。
评论
讨论主题回复 作者 日期
What happens if am in algorithm 2 and switch to... Daniel Polistchuck 2009年4月12日 下午6:24
Is the converter REALLY being developed? How... Dana Oredson 2009年4月16日 下午12:11
Where are the details of algorithm 5... Ralph Goers 2010年1月26日 下午7:37
"A converter is being developed to change from... Richard Kovacs 2010年8月24日 上午6:58
does anyone know if the converter was developed... mirko bordigoni 2011年12月7日 上午7:05

What happens if am in algorithm 2 and switch to 5? Will I corrupt something or would it only be a matter of manually applying permissions?
(Great product, btw!)

Regards,

Daniel
在 09-4-12 下午6:24 发帖。
Is the converter REALLY being developed? How hard can it be to write? I am more than willing to contribute, either in testing or attempting to write something, if anyone is willing to share what has been developed so far.

It's been quite a while since the RBAC algorithm was introduced, but I haven't seen any upgrade tools so far.

Anyone?
在 09-4-16 下午12:11 发帖。
Where are the details of algorithm 5 documented? The link in LPS-2793 does a good job of documenting how the data is structured, but I haven't seen anything that documents how these algorithms work.
在 10-1-26 下午7:37 发帖。
"A converter is being developed to change from algorithms 1 to 4 towards algorithm 5." maybe when it will be finished, please link here the converter. It's easier to find here.
在 10-8-24 上午6:58 发帖。
does anyone know if the converter was developed and where is?thanks
在 11-12-7 上午7:05 发帖以回复 Richard Kovacs