[jira] [Work logged] (KNOX-2789) Refine privileged/non-privileged group settings

Tue, 23 Aug 2022 03:57:05 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2789?focusedWorklogId=802803&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-802803
 ]

ASF GitHub Bot logged work on KNOX-2789:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Aug/22 10:56
            Start Date: 23/Aug/22 10:56
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #622:
URL: https://github.com/apache/knox/pull/622#discussion_r952457950


##########
gateway-server/src/test/java/org/apache/knox/gateway/session/control/InMemoryConcurrentSessionVerifierTest.java:
##########
@@ -316,25 +296,27 @@ public void testBackgroundThreadRemoveExpiredTokens() 
throws ServiceLifecycleExc
     verifier.verifySessionForUser("admin", adminToken2);
     JWT expiringAdminToken = 
tokenAuthority.issueToken(expiringJwtAttributesForAdmin);
     verifier.verifySessionForUser("admin", expiringAdminToken);
-    Assert.assertEquals(3, verifier.countValidTokensForUser("admin"));
-    Thread.sleep(1100);
-    Assert.assertEquals(2, verifier.countValidTokensForUser("admin"));
+    Assert.assertEquals(3, verifier.getTokenCountForUser("admin").intValue());
+    Thread.sleep(1050);
+    verifier.removeExpiredTokens();
+    Assert.assertEquals(2, verifier.getTokenCountForUser("admin").intValue());
 
     JWTokenAttributes expiringJwtAttributesForTom = makeJwtAttribute("tom", 
true);
 
     verifier.verifySessionForUser("tom", tomToken1);
     verifier.verifySessionForUser("tom", tomToken2);
     JWT expiringTomToken = 
tokenAuthority.issueToken(expiringJwtAttributesForTom);
     verifier.verifySessionForUser("tom", expiringTomToken);
-    Assert.assertEquals(3, verifier.countValidTokensForUser("tom"));
-    Thread.sleep(1100);
-    Assert.assertEquals(2, verifier.countValidTokensForUser("tom"));
+    Assert.assertEquals(3, verifier.getTokenCountForUser("tom").intValue());
+    Thread.sleep(1050);

Review Comment:
   The same qq. here.



##########
gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java:
##########
@@ -822,7 +822,7 @@ public interface GatewayConfig {
 
   Set<String> getPrivilegedUsers();
 
-  Set<String> getNonPrivilegedUsers();
+  Set<String> getUnlimitedUsers();

Review Comment:
   We may rename this to `getSessionVerificationUnlimitiedUsers` and the 
previous one to `getSessionVerificationPrivilegedUsers`. What do you think?



##########
gateway-server/src/test/java/org/apache/knox/gateway/session/control/InMemoryConcurrentSessionVerifierTest.java:
##########
@@ -273,41 +255,39 @@ public void testNegativeLimitMeansUnlimited() throws 
ServiceLifecycleException {
 
   @Test
   public void testExpiredTokensAreNotCounted() throws 
ServiceLifecycleException, TokenServiceException, InterruptedException {
-    GatewayConfig config = mockConfig(new HashSet<>(Arrays.asList("admin")), 
new HashSet<>(Arrays.asList("tom", "guest")), 3, 3);
+    GatewayConfig config = mockConfig(Collections.emptySet(), new 
HashSet<>(Arrays.asList("admin")), 3, 3);
     verifier.init(config, options);
 
     JWTokenAttributes expiringJwtAttributesForTom = makeJwtAttribute("tom", 
true);
 
-    JWT tomToken = tokenAuthority.issueToken(jwtAttributesForTom);
-    verifier.verifySessionForUser("tom", tomToken);
+    verifier.verifySessionForUser("tom", tomToken1);
     Assert.assertEquals(1, verifier.countValidTokensForUser("tom"));
-    tomToken = tokenAuthority.issueToken(expiringJwtAttributesForTom);
-    verifier.verifySessionForUser("tom", tomToken);
+    JWT expiringTomToken = 
tokenAuthority.issueToken(expiringJwtAttributesForTom);
+    verifier.verifySessionForUser("tom", expiringTomToken);
     Assert.assertEquals(2, verifier.countValidTokensForUser("tom"));
-    tomToken = tokenAuthority.issueToken(expiringJwtAttributesForTom);
-    verifier.verifySessionForUser("tom", tomToken);
+    expiringTomToken = tokenAuthority.issueToken(expiringJwtAttributesForTom);
+    verifier.verifySessionForUser("tom", expiringTomToken);
     Assert.assertEquals(3, verifier.countValidTokensForUser("tom"));
-    Thread.sleep(1000L);
+    Thread.sleep(1100);

Review Comment:
   As discussed offline, we may give a high enough cleaning period, and invoke 
the cleaning job manually here to avoid Thread.sleep. Have considered doing 
that?



##########
gateway-server/src/test/java/org/apache/knox/gateway/session/control/InMemoryConcurrentSessionVerifierTest.java:
##########
@@ -316,25 +296,27 @@ public void testBackgroundThreadRemoveExpiredTokens() 
throws ServiceLifecycleExc
     verifier.verifySessionForUser("admin", adminToken2);
     JWT expiringAdminToken = 
tokenAuthority.issueToken(expiringJwtAttributesForAdmin);
     verifier.verifySessionForUser("admin", expiringAdminToken);
-    Assert.assertEquals(3, verifier.countValidTokensForUser("admin"));
-    Thread.sleep(1100);
-    Assert.assertEquals(2, verifier.countValidTokensForUser("admin"));
+    Assert.assertEquals(3, verifier.getTokenCountForUser("admin").intValue());
+    Thread.sleep(1050);

Review Comment:
   If you are invoking `verifier.removeExpiredTokens();` anyway, why do we need 
the Thread.sleep here?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 802803)
    Time Spent: 20m  (was: 10m)

> Refine privileged/non-privileged group settings
> -----------------------------------------------
>
>                 Key: KNOX-2789
>                 URL: https://issues.apache.org/jira/browse/KNOX-2789
>             Project: Apache Knox
>          Issue Type: Sub-task
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Balazs Marton
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Existing group settings should be refined as follows:
>  * instead of having the privileged and non-privileged groups their own 
> configuration, we should only have one config for the privileged users. 
> Additionally, the existing configuration name should be changed to 
> {{gateway.session.verification.privileged.users}}
>  * Currently, if a user is not listed in any of these groups, are allowed to 
> have unlimited sessions. This should be changed: a new config should be 
> introduced called {{gateway.session.verification.unlimited.users}}
>  * each user that is not listed in any of those groups is considered 
> non-privileged and the previously introduced limit should be applied to it
> Additionally, the following configuration names should be updated:
>  * {{gateway.non.privileged.users.concurrent.session.limit}} -> 
> {{gateway.session.verification.non.privileged.user.limit}}
>  * {{gateway.privileged.users.concurrent.session.limit}} -> 
> {{gateway.session.verification.privileged.user.limit}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to