Share This:

Adding Authorizations to an Acl Template is typically accomplished by running a series of blcli_execute BlAclTemplate addTemplatePermission commands.  Some brief profiling shows that adding 100 Authorizations to a newly created Acl Template takes about 10 seconds.  That's not too bad, but I wonder if it could be faster.  If we look in the unreleased blcli commands documentation for the addTemplatePermission command we can see what it runs:

Reading through the sequence of commands what happens is that it loads up the acl object from the template (the thing that contains the list of role:authorizations), then creates a new acl entry (blAce), adds the new role and authorization, and then updates the acl object with this acl entry.  Then the acl template object is updated with the newly update acl list.  It's likely that instead of immediately running the template update, we can keep adding more and more acl entries to the acl object and do a single update at the end.

 

We want to be able to compare the run times to the current method of adding acls so we should build out a script that does both and compare run times.  I'll just grab a subset of the entire list of authorizations for this test and then run each method, noting the runtime.

 

#!/bin/nsh
# load the date/time module so we can use $EPOCHSECONDS
zmodload zsh/datetime
blcli_setjvmoption -Dcom.bladelogic.cli.execute.quietmode.enabled=true
blcli_setoption serviceProfileName defaultProfile
blcli_setoption roleName BLAdmins
# get just the system authorizations for the test
blcli_execute Authorization findAllByType 1
blcli_execute Authorization getName
blcli_execute Utility setTargetObject
blcli_execute Utility listPrint
blcli_storelocal allAuths
# grab 100, for further profiling get more.  for a real run you'd be reading the list from a file probably.
myAuths="$( tail -100 <<< "${allAuths}")"
echo "Number of auths: $(awk 'NF' <<< "${myAuths}" | wc -l)"
for i in {1..10}
       do
        startTime=${EPOCHSECONDS}
        # create the empty acl template
        blcli_execute BlAclTemplate createAclTemplate Template1 Template1
         # loop through the list of authorizations i pulled and add them to the template
        while read i
                do
                blcli_execute BlAclTemplate addTemplatePermission Template1 BLAdmins "${i}"
        done <<< "$(awk 'NF' <<< "${myAuths}")"
        endTime=${EPOCHSECONDS}
         # get the runtime.
        echo "addTemplatePermission RunTime=$((${endTime}-${startTime}))"
        blcli_execute BlAclTemplate deleteAclTemplateByName Template1

        startTime=${EPOCHSECONDS}
         # create the template, step through the underlying calls for addTemplatePermission
        blcli_execute BlAclTemplate createAclTemplate Template2 Template2
        blcli_execute BlAclTemplate findByName Template2
        blcli_execute Utility storeTargetObject template
        blcli_execute BlAclTemplate getTemplateBlAcl
        blcli_execute Utility setTargetObject
        blcli_execute Utility storeTargetObject blAcl

         # loop over the list of auths to add, add them to the acl object and do the update later.
        while read i
                do
                blcli_execute RBACRole getRoleIdByName BLAdmins
                blcli_execute Utility setTargetObject
                blcli_execute Utility storeTargetObject roleId
                blcli_execute Authorization getAuthorizationIdByName "${i}"
                blcli_execute Utility setTargetObject
                blcli_execute Utility storeTargetObject authId
                blcli_execute Utility setTargetObject
                blcli_execute BlAce createInstance NAMED_OBJECT=roleId NAMED_OBJECT=authId
                blcli_execute Utility setTargetObject
                blcli_execute Utility storeTargetObject blAce
                blcli_execute Utility setTargetObject blAcl
                blcli_execute BlAcl addAce NAMED_OBJECT=blAce
        done <<< "$(awk 'NF' <<< "${myAuths}")"
        blcli_execute Utility setTargetObject template
        blcli_execute BlAclTemplate update NAMED_OBJECT=template
        blcli_execute BlAclTemplate getDBKey
        endTime=${EPOCHSECONDS}
        echo "unreleased RunTime=$((${endTime}-${startTime}))"
        blcli_execute BlAclTemplate deleteAclTemplateByName Template2
done

 

Running the above shows (collapsed lines for space):

addTemplatePermission RunTime=15 unreleased RunTime=2

addTemplatePermission RunTime=8 unreleased RunTime=2

addTemplatePermission RunTime=8 unreleased RunTime=2

addTemplatePermission RunTime=9 unreleased RunTime=2

addTemplatePermission RunTime=8 unreleased RunTime=2

addTemplatePermission RunTime=7 unreleased RunTime=2

addTemplatePermission RunTime=8 unreleased RunTime=2

addTemplatePermission RunTime=8 unreleased RunTime=3

addTemplatePermission RunTime=8 unreleased RunTime=2

addTemplatePermission RunTime=8 unreleased RunTime=2

An average of 8 seconds for the loop of addTemplatePermission commands, average of 2 seconds for the set of unreleased commands.

 

To actually use the new method your script will look something like:

blcli_execute BlAclTemplate createAclTemplate MyTemplate MyTemplate
blcli_execute BlAclTemplate findByName MyTemplate
blcli_execute Utility storeTargetObject template
blcli_execute BlAclTemplate getTemplateBlAcl
blcli_execute Utility setTargetObject
blcli_execute Utility storeTargetObject blAcl

while read auth role
     do
     blcli_execute RBACRole getRoleIdByName "${role}"
     blcli_execute Utility setTargetObject
     blcli_execute Utility storeTargetObject roleId
     blcli_execute Authorization getAuthorizationIdByName "${auth}"
     blcli_execute Utility setTargetObject
     blcli_execute Utility storeTargetObject authId
     blcli_execute Utility setTargetObject
     blcli_execute BlAce createInstance NAMED_OBJECT=roleId NAMED_OBJECT=authId
     blcli_execute Utility setTargetObject
     blcli_execute Utility storeTargetObject blAce
     blcli_execute Utility setTargetObject blAcl
     blcli_execute BlAcl addAce NAMED_OBJECT=blAce
done < /tmp/MyAuthList.txt
blcli_execute Utility setTargetObject template
blcli_execute BlAclTemplate update NAMED_OBJECT=template
blcli_execute BlAclTemplate getDBKey

 

Where /tmp/MyAuthList.txt has the format like:

role authname