This is an automated email from the ASF dual-hosted git repository. alexey pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 754de05b8d6e513624a2a4b8cc4b5dbb00cd1e07 Author: Alexey Serbin <[email protected]> AuthorDate: Tue Apr 30 16:20:59 2019 -0700 [authz] add scrubbing task for the privileges cache This changelist enables the periodic scrubbing thread to invalidate expired entries from the SentryPrivilegesFetcher's cache. By default, the period of the cache's scrubbing task is 20 seconds. Change-Id: I88510fae48cf683fbfad8a11c2941a23b2af9f8b Reviewed-on: http://gerrit.cloudera.org:8080/13205 Tested-by: Kudu Jenkins Reviewed-by: Andrew Wong <[email protected]> --- src/kudu/master/sentry_privileges_fetcher.cc | 31 +++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/src/kudu/master/sentry_privileges_fetcher.cc b/src/kudu/master/sentry_privileges_fetcher.cc index 952b889..0242cae 100644 --- a/src/kudu/master/sentry_privileges_fetcher.cc +++ b/src/kudu/master/sentry_privileges_fetcher.cc @@ -128,6 +128,21 @@ DEFINE_uint32(sentry_privileges_cache_ttl_factor, 10, "defines the TTL of entries in the authz cache."); TAG_FLAG(sentry_privileges_cache_ttl_factor, advanced); +DEFINE_uint32(sentry_privileges_cache_scrubbing_period_sec, 20, + "The interval to run the periodic task that scrubs the " + "privileges cache of expired entries. A value of 0 means expired " + "entries are only evicted when inserting new entries into a full " + "cache."); +TAG_FLAG(sentry_privileges_cache_scrubbing_period_sec, advanced); + +DEFINE_uint32(sentry_privileges_cache_max_scrubbed_entries_per_pass, 32, + "Maximum number of entries in the privileges cache to process " + "in one pass of the periodic scrubbing task. A value of 0 means " + "there is no limit, i.e. all expired entries, if any, " + "are invalidated every time the scrubbing task runs. Note " + "that the cache is locked while the scrubbing task is running."); +TAG_FLAG(sentry_privileges_cache_max_scrubbed_entries_per_pass, advanced); + DECLARE_int64(authz_token_validity_seconds); DECLARE_string(kudu_service_name); DECLARE_string(server_name); @@ -514,10 +529,20 @@ Status SentryPrivilegesFetcher::ResetCache() { FLAGS_sentry_privileges_cache_capacity_mb * 1024 * 1024; shared_ptr<AuthzInfoCache> new_cache; if (cache_capacity_bytes != 0) { - const auto ttl_sec = FLAGS_authz_token_validity_seconds * - FLAGS_sentry_privileges_cache_ttl_factor; + const auto cache_entry_ttl = MonoDelta::FromSeconds( + FLAGS_authz_token_validity_seconds * + FLAGS_sentry_privileges_cache_ttl_factor); + + MonoDelta cache_scrubbing_period; // explicitly non-initialized variable + if (FLAGS_sentry_privileges_cache_scrubbing_period_sec > 0) { + cache_scrubbing_period = std::min(cache_entry_ttl, MonoDelta::FromSeconds( + FLAGS_sentry_privileges_cache_scrubbing_period_sec)); + } + new_cache = make_shared<AuthzInfoCache>( - cache_capacity_bytes, MonoDelta::FromSeconds(ttl_sec)); + cache_capacity_bytes, cache_entry_ttl, cache_scrubbing_period, + FLAGS_sentry_privileges_cache_max_scrubbed_entries_per_pass, + "sentry-privileges-ttl-cache"); if (metric_entity_) { unique_ptr<SentryPrivilegesCacheMetrics> metrics( new SentryPrivilegesCacheMetrics(metric_entity_));
