/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.cassandra.auth; import java.lang.management.ManagementFactory; import java.util.Set; import java.util.concurrent.*; import org.apache.cassandra.config.DatabaseDescriptor; import com.google.common.cache.CacheBuilder; import com.google.common.cache.CacheLoader; import com.google.common.cache.LoadingCache; import com.google.common.util.concurrent.ListenableFuture; import com.google.common.util.concurrent.ListenableFutureTask; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.cassandra.concurrent.DebuggableThreadPoolExecutor; import org.apache.cassandra.utils.Pair; import javax.management.MBeanServer; import javax.management.ObjectName; public class PermissionsCache implements PermissionsCacheMBean { private static final Logger logger = LoggerFactory.getLogger(PermissionsCache.class); private final String MBEAN_NAME = "org.apache.cassandra.auth:type=PermissionsCache"; private final ThreadPoolExecutor cacheRefreshExecutor = new DebuggableThreadPoolExecutor("PermissionsCacheRefresh", Thread.NORM_PRIORITY); private final IAuthorizer authorizer; private volatile LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> cache; public PermissionsCache(IAuthorizer authorizer) { this.authorizer = authorizer; this.cache = initCache(null); try { MBeanServer mbs = ManagementFactory.getPlatformMBeanServer(); mbs.registerMBean(this, new ObjectName(MBEAN_NAME)); } catch (Exception e) { throw new RuntimeException(e); } } public Set<Permission> getPermissions(AuthenticatedUser user, IResource resource) { if (cache == null) return authorizer.authorize(user, resource); try { return cache.get(Pair.create(user, resource)); } catch (ExecutionException e) { throw new RuntimeException(e); } } public void invalidate() { cache = initCache(null); } public void setValidity(int validityPeriod) { DatabaseDescriptor.setPermissionsValidity(validityPeriod); cache = initCache(cache); } public int getValidity() { return DatabaseDescriptor.getPermissionsValidity(); } public void setUpdateInterval(int updateInterval) { DatabaseDescriptor.setPermissionsUpdateInterval(updateInterval); cache = initCache(cache); } public int getUpdateInterval() { return DatabaseDescriptor.getPermissionsUpdateInterval(); } private LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initCache( LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> existing) { if (authorizer instanceof AllowAllAuthorizer) return null; if (DatabaseDescriptor.getPermissionsValidity() <= 0) return null; LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> newcache = CacheBuilder.newBuilder() .refreshAfterWrite(DatabaseDescriptor.getPermissionsUpdateInterval(), TimeUnit.MILLISECONDS) .expireAfterWrite(DatabaseDescriptor.getPermissionsValidity(), TimeUnit.MILLISECONDS) .maximumSize(DatabaseDescriptor.getPermissionsCacheMaxEntries()) .build(new CacheLoader<Pair<AuthenticatedUser, IResource>, Set<Permission>>() { public Set<Permission> load(Pair<AuthenticatedUser, IResource> userResource) { return authorizer.authorize(userResource.left, userResource.right); } public ListenableFuture<Set<Permission>> reload(final Pair<AuthenticatedUser, IResource> userResource, final Set<Permission> oldValue) { ListenableFutureTask<Set<Permission>> task = ListenableFutureTask.create(new Callable<Set<Permission>>() { public Set<Permission>call() throws Exception { try { return authorizer.authorize(userResource.left, userResource.right); } catch (Exception e) { logger.debug("Error performing async refresh of user permissions", e); throw e; } } }); cacheRefreshExecutor.execute(task); return task; } }); if (existing != null) newcache.putAll(existing.asMap()); return newcache; } }