Problem
If you have made extensive use of permissions / ACLs in CQ or CRX it can affect the CRX search performance because when search results are being retrieved they must be filtered against the permissions in the CRX repository.
In cases where this is an issue, if you take thread dumps you will see that there is a lot of lock contention related to stack traces containing the CacheEntryCollector class.
To see if you have a enough permissions (rep:ACE nodes) set in your repository to greatly affect performance, do the following:
- Go to the CRX web app /crxde and login as admin
- Click to Tools => Query
- Select "XPath" as the Type
- In the Query box enter the following query:
//element(*,rep:ACL) order by @jcr:score - Click Execute
If that results in more than 5000 nodes then see below for details on how to improve system performance.
Resolution
1. First of all, research whether or not you can reduce your total number of ACLs. Here are a few tips that may help:
- It makes sense to review your defined ACLs and see if any of them are in superfluous or unnecessary. Many times you can reduce the number of ACLs by adding a group which contains shared permissions then assigning other groups as members of it.
- If you are defining permissions / ACEs directly against users then you may be able to greatly decrease the number of ACEs you are using by removing such permissions. Then you should replace them with permissions that are set against shared groups instead.
Note: If you don't know how to view ACLs in CRX then see this article. You can also search for ACLs using the search mentioned above //element(*,rep:ACL) order by @jcr:score.
2. Once you reduce the total number of ACEs, if you still have a performance problem then see if you can implement a caching layer in your application code for commonly retrieved search results.
3. Finally to increase the ACL cache size.
- Install the latest CRX hotfixpack 2.2.0.56 or above (check package share if available in public otherwise request for it via ticket in Daycare)
- Add the following JVM parameter to change the cache size:
-Dorg.apache.jackrabbit.core.security.authorization.acl.CachingEntryCollector.maxsize=10000
10000 for example if your current number of rep:ACE node was a bit less than 10000.
Applies to
CRX 2.2