| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.cassandra.auth; |
| |
| import java.lang.management.ManagementFactory; |
| import java.util.Set; |
| import java.util.concurrent.*; |
| |
| import org.apache.cassandra.config.DatabaseDescriptor; |
| import com.google.common.cache.CacheBuilder; |
| import com.google.common.cache.CacheLoader; |
| import com.google.common.cache.LoadingCache; |
| import com.google.common.util.concurrent.ListenableFuture; |
| import com.google.common.util.concurrent.ListenableFutureTask; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import org.apache.cassandra.concurrent.DebuggableThreadPoolExecutor; |
| import org.apache.cassandra.utils.Pair; |
| |
| import javax.management.MBeanServer; |
| import javax.management.ObjectName; |
| |
| public class PermissionsCache implements PermissionsCacheMBean |
| { |
| private static final Logger logger = LoggerFactory.getLogger(PermissionsCache.class); |
| |
| private final String MBEAN_NAME = "org.apache.cassandra.auth:type=PermissionsCache"; |
| |
| private final ThreadPoolExecutor cacheRefreshExecutor = new DebuggableThreadPoolExecutor("PermissionsCacheRefresh", |
| Thread.NORM_PRIORITY); |
| private final IAuthorizer authorizer; |
| private volatile LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> cache; |
| |
| public PermissionsCache(IAuthorizer authorizer) |
| { |
| this.authorizer = authorizer; |
| this.cache = initCache(null); |
| try |
| { |
| MBeanServer mbs = ManagementFactory.getPlatformMBeanServer(); |
| mbs.registerMBean(this, new ObjectName(MBEAN_NAME)); |
| } |
| catch (Exception e) |
| { |
| throw new RuntimeException(e); |
| } |
| } |
| |
| public Set<Permission> getPermissions(AuthenticatedUser user, IResource resource) |
| { |
| if (cache == null) |
| return authorizer.authorize(user, resource); |
| |
| try |
| { |
| return cache.get(Pair.create(user, resource)); |
| } |
| catch (ExecutionException e) |
| { |
| throw new RuntimeException(e); |
| } |
| } |
| |
| public void invalidate() |
| { |
| cache = initCache(null); |
| } |
| |
| public void setValidity(int validityPeriod) |
| { |
| DatabaseDescriptor.setPermissionsValidity(validityPeriod); |
| cache = initCache(cache); |
| } |
| |
| public int getValidity() |
| { |
| return DatabaseDescriptor.getPermissionsValidity(); |
| } |
| |
| public void setUpdateInterval(int updateInterval) |
| { |
| DatabaseDescriptor.setPermissionsUpdateInterval(updateInterval); |
| cache = initCache(cache); |
| } |
| |
| public int getUpdateInterval() |
| { |
| return DatabaseDescriptor.getPermissionsUpdateInterval(); |
| } |
| |
| private LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initCache( |
| LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> existing) |
| { |
| if (authorizer instanceof AllowAllAuthorizer) |
| return null; |
| |
| if (DatabaseDescriptor.getPermissionsValidity() <= 0) |
| return null; |
| |
| LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> newcache = CacheBuilder.newBuilder() |
| .refreshAfterWrite(DatabaseDescriptor.getPermissionsUpdateInterval(), TimeUnit.MILLISECONDS) |
| .expireAfterWrite(DatabaseDescriptor.getPermissionsValidity(), TimeUnit.MILLISECONDS) |
| .maximumSize(DatabaseDescriptor.getPermissionsCacheMaxEntries()) |
| .build(new CacheLoader<Pair<AuthenticatedUser, IResource>, Set<Permission>>() |
| { |
| public Set<Permission> load(Pair<AuthenticatedUser, IResource> userResource) |
| { |
| return authorizer.authorize(userResource.left, userResource.right); |
| } |
| |
| public ListenableFuture<Set<Permission>> reload(final Pair<AuthenticatedUser, IResource> userResource, |
| final Set<Permission> oldValue) |
| { |
| ListenableFutureTask<Set<Permission>> task = ListenableFutureTask.create(new Callable<Set<Permission>>() |
| { |
| public Set<Permission>call() throws Exception |
| { |
| try |
| { |
| return authorizer.authorize(userResource.left, userResource.right); |
| } |
| catch (Exception e) |
| { |
| logger.trace("Error performing async refresh of user permissions", e); |
| throw e; |
| } |
| } |
| }); |
| cacheRefreshExecutor.execute(task); |
| return task; |
| } |
| }); |
| if (existing != null) |
| newcache.putAll(existing.asMap()); |
| return newcache; |
| } |
| } |