search

osiam / connector4java

Native Java API to connect to the REST based OSIAM services
MIT License
8 stars 17 forks source link

Bulk searchUsers operation #143

Open timopick opened 9 years ago

timopick commented 9 years ago

From @umerkayani: In Vibesa we require a more efficient version of searchUsers method of connector4java component. Right now we have the method as follows:

public SCIMSearchResult<User> searchUsers(Query query, AccessToken accessToken)

and we need something like this:

public List<SCIMSearchResult<User>> searchUsers(List<Query> queries, AccessToken accessToken)
tkrille commented 9 years ago

Why not simply make multiple calls yourself, or create a viable abstraction around the connector, or do you want to send multiple queries at once to the resource-server and get back multiple SCIMSearchResults at once, too?

tkrille commented 9 years ago

The last option is covered by the SCIM api spec: http://tools.ietf.org/html/draft-ietf-scim-api-19#section-3.7

So this has to be supported in the resource-server, too.

timopick commented 9 years ago

Exactly. The scenario is as follows: There is an authorization component within vibesa that defines and evaluates the user permissions.

Example: If the following search query returns the current user, the permission is granted. 

Permission [id=9, name=Zielgruppe Antrag: Einkommenserklärung (SF/FH, JONA),
    description=Einkommenserklärung (SF/FH, JONA),
    rule=(groups.display eq "vr_stipendiat" OR groups.display eq "vr_anwaerterStipendiat")
        AND (urn:scim:schemas:vibesa:1.0:vibesa.stipfoetyp eq "SF"
            OR urn:scim:schemas:vibesa:1.0:vibesa.stipfoetyp eq "FH"
            OR urn:scim:schemas:vibesa:1.0:vibesa.stipfoetyp eq "JONA")]

The rule part of each permission is an OSIAM searchUsers query. We have roundabout 50 permissions, that need to be checked for each user who tries to access the application. This means 50 searchUsers requests per user. This creates a lot of round-trip-time. In order to eliminate the server roundtrips, Vibesa team would welcome a bulk request with all the 50 queries and a response list that contains responses for all the queries.

tkrille commented 9 years ago

Searching is the most costly operation you can do with OSIAM, especially when it comes down to extensions and the OR operator. For each search request, most of the time will be spent in the resource-server and database, collecting and transforming the results. So by bulking the requests you definitely gain a little performance boost, but a bulk search with 50 queries can easily take multiple seconds to complete. Do you make these searches on every request of a user or just initially when they login? Nevertheless, I would suggest that you fetch and cache the complete User object and check the rules in-memory in your app. Maybe put the User in the session or something.

Having said that, implementing bulk operations, as defined by the SCIM 2.0 specs, is something that's really useful for OSIAM. And we'll love to implement that. We could start with search and get, and schedule the mutating methods for the future. As this must be implemented in the resource-server, someone should open an issue there, too. For the next time, please use the general, overarching issue tracker here: https://github.com/osiam/osiam/issues