Most efficient way to include other attributes verbatim in scripted attributes

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Most efficient way to include other attributes verbatim in scripted attributes

Wessel, Keith William
All,

We're mapping several LDAP groups to entitlements, many with regex so we can include part of the group name in the entitlement value for sets of groups matching a pattern. I'd like to do this efficiently since users can have a lot of group memberships, and I suspect iterating over all of them might get expensive.

Currently, I'm using a mapped attribute definition to map the groups to entitlement values in an internal attribute called entitlementGroups. I then use entitlementGroups in my eduPersonEntitlement script. The script is using other attributes besides the group memberships to apply other entitlement values. So, I can't just replace the whole eduPersonEntitlement definition with a mapped attribute. But for the entitlementGroups attribute, the eduPersonEntitlement script just iterates over it with a for-loop to do an eduPersonEntitlement.addValue for each of its values.

I realize I could just iterate over the user's raw group memberships attribute instead and skip the mapped attribute definition, doing if (group.match(/regex/) for each value. So, first question, is the mapped attribute definition more efficient than iterating over the group memberships and matching each one against a regex in my script? Or is it essentially the same code?

And second question: if the mapped attribute definition is more efficient, is there a more efficient way in my script to take all of the values of entitlementGroups and add them to eduPersonEntitlement? A way, that is, to say here's a multi-valued attribute; add all of its values to the list of values output by this script?

Thanks,
Keith

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Most efficient way to include other attributes verbatim in scripted attributes

Cantor, Scott E.
On 11/21/19, 9:51 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> I realize I could just iterate over the user's raw group memberships attribute instead and skip the mapped attribute
> definition, doing if (group.match(/regex/) for each value. So, first question, is the mapped attribute definition more
> efficient than iterating over the group memberships and matching each one against a regex in my script? Or is it
> essentially the same code?

If you really want to know things like that, the metrics support was built to let you install timers around individual connectors to measure the time. I don't think anything else is going to be anything but speculation.

> And second question: if the mapped attribute definition is more efficient, is there a more efficient way in my script to
> take all of the values of entitlementGroups and add them to eduPersonEntitlement? A way, that is, to say here's a
> multi-valued attribute; add all of its values to the list of values output by this script?

This is probably going to turn out to be "because I'm using Rhino instead of the garbage pile Nashorn" but my entitlement script has:

    eduPersonEntitlement.getValues().addAll(entitlement.getValues());

"entitlement" here is an attribute from an LDAP connector, so this is the part that echoes all of the directory-based values in my script that adds all the other stuff.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Most efficient way to include other attributes verbatim in scripted attributes

Wessel, Keith William
Thanks, Scott. Yes, I know I could use the metrics to time things, but I was hoping for some insight into the code behind a mapped attribute definition. I guess I could go snoop in the code, myself. Just wondered if that code was more efficient than just a for loop iterating over each value and doing a regex compare.

I didn't know about the addAll method. That worked fine and, I'm sure, is more efficient than my for loop to add the values one at a time.

Thanks,
Keith


-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Thursday, November 21, 2019 9:12 AM
To: Shib Users <[hidden email]>
Subject: Re: Most efficient way to include other attributes verbatim in scripted attributes

On 11/21/19, 9:51 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> I realize I could just iterate over the user's raw group memberships
> attribute instead and skip the mapped attribute definition, doing if
> (group.match(/regex/) for each value. So, first question, is the
> mapped attribute definition more efficient than iterating over the group memberships and matching each one against a regex in my script? Or is it essentially the same code?

If you really want to know things like that, the metrics support was built to let you install timers around individual connectors to measure the time. I don't think anything else is going to be anything but speculation.

> And second question: if the mapped attribute definition is more
> efficient, is there a more efficient way in my script to take all of
> the values of entitlementGroups and add them to eduPersonEntitlement? A way, that is, to say here's a multi-valued attribute; add all of its values to the list of values output by this script?

This is probably going to turn out to be "because I'm using Rhino instead of the garbage pile Nashorn" but my entitlement script has:

    eduPersonEntitlement.getValues().addAll(entitlement.getValues());

"entitlement" here is an attribute from an LDAP connector, so this is the part that echoes all of the directory-based values in my script that adds all the other stuff.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Most efficient way to include other attributes verbatim in scripted attributes

Cantor, Scott E.
On 11/21/19, 11:07 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> Thanks, Scott. Yes, I know I could use the metrics to time things, but I was hoping for some insight into the code
> behind a mapped attribute definition. I guess I could go snoop in the code, myself. Just wondered if that code was
> more efficient than just a for loop iterating over each value and doing a regex compare.

Well, one is in Java, and one is more scripting, so I think as a rule it will be faster to do the Java. The regexes in Java also usually get compiled once and then reused.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Most efficient way to include other attributes verbatim in scripted attributes

Wessel, Keith William
Makes sense. Thanks very much.

Keith


-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Thursday, November 21, 2019 10:51 AM
To: Shib Users <[hidden email]>
Subject: Re: Most efficient way to include other attributes verbatim in scripted attributes

On 11/21/19, 11:07 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> Thanks, Scott. Yes, I know I could use the metrics to time things, but
> I was hoping for some insight into the code behind a mapped attribute
> definition. I guess I could go snoop in the code, myself. Just wondered if that code was more efficient than just a for loop iterating over each value and doing a regex compare.

Well, one is in Java, and one is more scripting, so I think as a rule it will be faster to do the Java. The regexes in Java also usually get compiled once and then reused.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]