frankgh commented on code in PR #270:
URL: https://github.com/apache/cassandra-sidecar/pull/270#discussion_r2437659118
##########
integration-tests/src/integrationTest/org/apache/cassandra/sidecar/acl/authorization/RoleBasedAuthorizationIntegrationTest.java:
##########
@@ -257,7 +268,7 @@ protected Function<SidecarConfigurationImpl.Builder,
SidecarConfigurationImpl.Bu
Map.of());
CacheConfiguration permissionCacheConfiguration =
CacheConfigurationImpl.builder()
-
.expireAfterAccess(MillisecondBoundConfiguration.parse("100ms"))
+
.expireAfterAccess(MillisecondBoundConfiguration.parse("300ms"))
Review Comment:
can we keep it 100ms?
##########
integration-tests/src/integrationTest/org/apache/cassandra/sidecar/acl/authorization/RoleBasedAuthorizationIntegrationTest.java:
##########
@@ -497,7 +513,9 @@ void testEndpointRequiringMultipleActions()
grantTablePermission(session,
"multiple_permissions_required_test_keyspace", "test_table",
"non_admin_test_role");
}, sslOptions);
- loopAssert(2, 100, () -> {
+ invalidateAuthorizationHandlerCaches();
+
+ loopAssert(4, 100, () -> {
Review Comment:
can we keep this at 2?
##########
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AuthorizationCacheKeyImpl.java:
##########
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+import io.vertx.core.MultiMap;
+import io.vertx.ext.auth.User;
+
+import static
org.apache.cassandra.sidecar.utils.AuthUtils.extractCassandraRoles;
+
+/**
+ * Implementation of {@link AuthorizationCacheKey}, uniquely represents an
authorization request with user and resource
+ * context.
+ */
+public class AuthorizationCacheKeyImpl implements AuthorizationCacheKey
+{
+ private final List<String> roles;
+ private final Map<String, String> variables;
+
+ public AuthorizationCacheKeyImpl(User user, MultiMap variables)
+ {
+ this.roles = extractCassandraRoles(user);
+ // store an immutable copy of variables in a Map
+ this.variables = variables.entries()
Review Comment:
can we precompute the hash here?
##########
server/src/main/java/org/apache/cassandra/sidecar/metrics/server/AuthMetrics.java:
##########
@@ -32,17 +33,23 @@ public class AuthMetrics
private static final String DOMAIN = SERVER_PREFIX + ".Auth";
public final NamedMetric<Counter> jwtPemRefreshFailures;
public final NamedMetric<Counter> jwtPemRefreshSuccesses;
+ public final NamedMetric<Timer> authorizationTime;
Review Comment:
I think we should document that this authorization time is only taking into
account authorizations that are not cached
##########
integration-tests/src/integrationTest/org/apache/cassandra/sidecar/acl/authorization/RoleBasedAuthorizationIntegrationTest.java:
##########
@@ -463,8 +475,10 @@ void testEndpointRequiringMultipleActions()
"data/multiple_permissions_required_test_keyspace/test_table",
"SNAPSHOT:READ");
+ invalidateAuthorizationHandlerCaches();
+
// wait for cache refresh
- loopAssert(2, 100, () -> {
+ loopAssert(4, 100, () -> {
Review Comment:
can we keep this at 2?
##########
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AuthorizationCacheKeyImpl.java:
##########
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+import io.vertx.core.MultiMap;
+import io.vertx.ext.auth.User;
+
+import static
org.apache.cassandra.sidecar.utils.AuthUtils.extractCassandraRoles;
+
+/**
+ * Implementation of {@link AuthorizationCacheKey}, uniquely represents an
authorization request with user and resource
+ * context.
+ */
+public class AuthorizationCacheKeyImpl implements AuthorizationCacheKey
+{
+ private final List<String> roles;
+ private final Map<String, String> variables;
+
+ public AuthorizationCacheKeyImpl(User user, MultiMap variables)
Review Comment:
NIT : can we use the underlying interface here?
```suggestion
public AuthorizationCacheKeyImpl(User user, Iterable<Map.Entry<String,
String>> variables)
```
##########
integration-tests/src/integrationTest/org/apache/cassandra/sidecar/acl/authorization/RoleBasedAuthorizationIntegrationTest.java:
##########
@@ -486,9 +500,11 @@ void testEndpointRequiringMultipleActions()
"data/multiple_permissions_required_test_keyspace/test_table",
"SNAPSHOT:STREAM");
+ invalidateAuthorizationHandlerCaches();
+
// STREAM SSTable request requires both Sidecar SNAPSHOT:STREAM
permission and Cassandra's SELECT
// permission on a table it accesses data.
- loopAssert(2, 100, () -> {
+ loopAssert(4, 100, () -> {
Review Comment:
can we keep this at 2?
##########
server/src/main/java/org/apache/cassandra/sidecar/routes/RouteBuilder.java:
##########
@@ -206,25 +214,29 @@ public static class Factory
private final AuthorizationProvider authorizationProvider;
private final AdminIdentityResolver adminIdentityResolver;
private final AuthorizationParameterValidateHandler
authZParameterValidateHandler;
+ private final SidecarMetrics sidecarMetrics;
public Factory(AccessControlConfiguration accessControlConfiguration,
AuthorizationProvider authorizationProvider,
AdminIdentityResolver adminIdentityResolver,
- AuthorizationParameterValidateHandler
authZParameterValidateHandler)
+ AuthorizationParameterValidateHandler
authZParameterValidateHandler,
+ SidecarMetrics sidecarMetrics)
{
this.accessControlConfiguration = accessControlConfiguration;
this.authorizationProvider = authorizationProvider;
this.adminIdentityResolver = adminIdentityResolver;
this.authZParameterValidateHandler = authZParameterValidateHandler;
+ this.sidecarMetrics = sidecarMetrics;
}
public RouteBuilder builderForRoute()
{
return new RouteBuilder(accessControlConfiguration,
authorizationProvider,
adminIdentityResolver,
- authZParameterValidateHandler);
+ authZParameterValidateHandler,
Review Comment:
NIT, we should instead modify the ctor to take the Factory. i.e new
RouteBuilder(this);
##########
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/CachedAuthorizationHandler.java:
##########
@@ -0,0 +1,171 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import java.util.List;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.function.BiConsumer;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import io.vertx.ext.auth.User;
+import io.vertx.ext.auth.authorization.Authorization;
+import io.vertx.ext.auth.authorization.AuthorizationContext;
+import io.vertx.ext.web.RoutingContext;
+import io.vertx.ext.web.handler.AuthorizationHandler;
+import io.vertx.ext.web.handler.HttpException;
+import io.vertx.ext.web.handler.impl.AuthorizationHandlerImpl;
+import org.apache.cassandra.sidecar.acl.AdminIdentityResolver;
+import org.apache.cassandra.sidecar.config.AccessControlConfiguration;
+import org.apache.cassandra.sidecar.config.CacheConfiguration;
+import org.apache.cassandra.sidecar.exceptions.ConfigurationException;
+import org.apache.cassandra.sidecar.metrics.CacheStatsCounter;
+import org.apache.cassandra.sidecar.metrics.SidecarMetrics;
+import org.apache.cassandra.sidecar.metrics.server.AuthMetrics;
+
+import static org.apache.cassandra.sidecar.utils.AuthUtils.extractIdentities;
+
+/**
+ * {@link CachedAuthorizationHandler} caches all authorization requests using
{@link AuthorizationCacheKey}.
+ */
+public class CachedAuthorizationHandler extends AuthorizationHandlerImpl
+{
+ static final String POPULATE_AUTHORIZATION_CACHES_ENV_NAME =
"populate_authorization_caches";
+ static final Set<Cache<AuthorizationCacheKey, Boolean>>
AUTHORIZATION_CACHES = ConcurrentHashMap.newKeySet();
+ private static final HttpException FORBIDDEN_EXCEPTION = new
HttpException(403);
Review Comment:
will we be losing the stacktrace by precreating the exception? is the stack
trace something we care about?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
