Repository: cassandra Updated Branches: refs/heads/cassandra-2.0 62db99037 -> 549f035b9 refs/heads/cassandra-2.1 5ba1f80a2 -> ace937eb7 refs/heads/trunk d57890ca6 -> 381ff18b2
Allow permissions cache to be set via JMX Patch by brandonwilliams, reviewed by aleksey for CASSANDRA-7968 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/549f035b Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/549f035b Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/549f035b Branch: refs/heads/cassandra-2.0 Commit: 549f035b925d6b49400667401bef96baaceb31fd Parents: 62db990 Author: Brandon Williams <[email protected]> Authored: Thu Sep 18 06:51:22 2014 +0000 Committer: Brandon Williams <[email protected]> Committed: Thu Sep 18 06:51:22 2014 +0000 ---------------------------------------------------------------------- CHANGES.txt | 1 + src/java/org/apache/cassandra/auth/Auth.java | 46 +++++++++++++++++++- .../org/apache/cassandra/auth/AuthMBean.java | 25 +++++++++++ .../cassandra/config/DatabaseDescriptor.java | 6 +++ .../apache/cassandra/service/ClientState.java | 31 +------------ 5 files changed, 79 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/549f035b/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 1eab20e..01d32e7 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 2.0.11: + * Allow permissions cache to be set via JMX (CASSANDRA-7698) * Include schema_triggers CF in readable system resources (CASSANDRA-7967) * Fix RowIndexEntry to report correct serializedSize (CASSANDRA-7948) * Make CQLSSTableWriter sync within partitions (CASSANDRA-7360) http://git-wip-us.apache.org/repos/asf/cassandra/blob/549f035b/src/java/org/apache/cassandra/auth/Auth.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/Auth.java b/src/java/org/apache/cassandra/auth/Auth.java index f3fcdf0..8027db4 100644 --- a/src/java/org/apache/cassandra/auth/Auth.java +++ b/src/java/org/apache/cassandra/auth/Auth.java @@ -17,8 +17,12 @@ */ package org.apache.cassandra.auth; +import java.util.Set; import java.util.concurrent.TimeUnit; +import com.google.common.cache.CacheBuilder; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Lists; import org.apache.commons.lang3.StringUtils; @@ -39,8 +43,9 @@ import org.apache.cassandra.locator.SimpleStrategy; import org.apache.cassandra.service.*; import org.apache.cassandra.transport.messages.ResultMessage; import org.apache.cassandra.utils.ByteBufferUtil; +import org.apache.cassandra.utils.Pair; -public class Auth +public class Auth implements AuthMBean { private static final Logger logger = LoggerFactory.getLogger(Auth.class); @@ -51,6 +56,10 @@ public class Auth public static final String AUTH_KS = "system_auth"; public static final String USERS_CF = "users"; + // User-level permissions cache. + public static volatile LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> permissionsCache = initPermissionsCache(null); + + private static final String USERS_CF_SCHEMA = String.format("CREATE TABLE %s.%s (" + "name text," + "super boolean," @@ -62,6 +71,41 @@ public class Auth private static SelectStatement selectUserStatement; + public int getPermissionsValidity() + { + return DatabaseDescriptor.getPermissionsValidity(); + } + + public void setPermissionsValidity(int timeoutInMs) + { + DatabaseDescriptor.setPermissionsValidity(timeoutInMs); + permissionsCache = initPermissionsCache(permissionsCache); + } + + private static LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initPermissionsCache(LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> oldCache) + { + if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer) + return null; + + int validityPeriod = DatabaseDescriptor.getPermissionsValidity(); + if (validityPeriod <= 0) + return null; + + LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> newCache = + CacheBuilder.newBuilder().expireAfterWrite(validityPeriod, TimeUnit.MILLISECONDS) + .build(new CacheLoader<Pair<AuthenticatedUser, IResource>, Set<Permission>>() + { + public Set<Permission> load(Pair<AuthenticatedUser, IResource> userResource) + { + return DatabaseDescriptor.getAuthorizer().authorize(userResource.left, + userResource.right); + } + }); + if (oldCache != null) + newCache.putAll(oldCache.asMap()); + return newCache; + } + /** * Checks if the username is stored in AUTH_KS.USERS_CF. * http://git-wip-us.apache.org/repos/asf/cassandra/blob/549f035b/src/java/org/apache/cassandra/auth/AuthMBean.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/AuthMBean.java b/src/java/org/apache/cassandra/auth/AuthMBean.java new file mode 100644 index 0000000..5ebbe49 --- /dev/null +++ b/src/java/org/apache/cassandra/auth/AuthMBean.java @@ -0,0 +1,25 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.cassandra.auth; + +public interface AuthMBean +{ + public int getPermissionsValidity(); + + public void setPermissionsValidity(int timeoutInMs); +} http://git-wip-us.apache.org/repos/asf/cassandra/blob/549f035b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java index 3162fd1..209d6c9 100644 --- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java +++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java @@ -571,6 +571,12 @@ public class DatabaseDescriptor return conf.permissions_validity_in_ms; } + public static void setPermissionsValidity(int timeout) + { + conf.permissions_validity_in_ms = timeout; + } + + public static int getThriftFramedTransportSize() { return conf.thrift_framed_transport_size_in_mb * 1024 * 1024; http://git-wip-us.apache.org/repos/asf/cassandra/blob/549f035b/src/java/org/apache/cassandra/service/ClientState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java index 44f2b87..38c56da 100644 --- a/src/java/org/apache/cassandra/service/ClientState.java +++ b/src/java/org/apache/cassandra/service/ClientState.java @@ -20,11 +20,7 @@ package org.apache.cassandra.service; import java.net.SocketAddress; import java.util.*; import java.util.concurrent.ExecutionException; -import java.util.concurrent.TimeUnit; -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; import com.google.common.collect.Iterables; import com.google.common.collect.Sets; import org.apache.commons.lang3.StringUtils; @@ -58,9 +54,6 @@ public class ClientState private static final Set<IResource> READABLE_SYSTEM_RESOURCES = new HashSet<>(); private static final Set<IResource> PROTECTED_AUTH_RESOURCES = new HashSet<>(); - // User-level permissions cache. - private static final LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> permissionsCache = initPermissionsCache(); - static { // We want these system cfs to be always readable to authenticated users since many tools rely on them @@ -318,35 +311,15 @@ public class ClientState return new SemanticVersion[]{ cql, cql3 }; } - private static LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initPermissionsCache() - { - if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer) - return null; - - int validityPeriod = DatabaseDescriptor.getPermissionsValidity(); - if (validityPeriod <= 0) - return null; - - return CacheBuilder.newBuilder().expireAfterWrite(validityPeriod, TimeUnit.MILLISECONDS) - .build(new CacheLoader<Pair<AuthenticatedUser, IResource>, Set<Permission>>() - { - public Set<Permission> load(Pair<AuthenticatedUser, IResource> userResource) - { - return DatabaseDescriptor.getAuthorizer().authorize(userResource.left, - userResource.right); - } - }); - } - private Set<Permission> authorize(IResource resource) { // AllowAllAuthorizer or manually disabled caching. - if (permissionsCache == null) + if (Auth.permissionsCache == null) return DatabaseDescriptor.getAuthorizer().authorize(user, resource); try { - return permissionsCache.get(Pair.create(user, resource)); + return Auth.permissionsCache.get(Pair.create(user, resource)); } catch (ExecutionException e) {
