Use RoleRetrievalResult for better caching#34197
Merged
jaymode merged 14 commits intoelastic:masterfrom Oct 15, 2018
Merged
Conversation
Security caches the result of role lookups and negative lookups are cached indefinitely. In the case of transient failures this leads to a bad experience as the roles could truly exist. The CompositeRolesStore needs to know if a failure occurred in one of the roles stores in order to make the appropriate decision as it relates to caching. In order to provide this information to the CompositeRolesStore, the return type of methods to retrieve roles has changed to a new class, RoleRetrievalResult. This class provides the ability to pass back an exception to the roles store. This exception does not mean that a request should be failed but instead serves as a signal to the roles store that missing roles should not be cached and neither should the combined role if there are missing roles. As part of this, the negative lookup cache was also changed from an unbounded cache to a cache with a configurable limit. Relates elastic#33205
Collaborator
|
Pinging @elastic/es-security |
bizybot
reviewed
Oct 4, 2018
Contributor
bizybot
left a comment
There was a problem hiding this comment.
I have left some comments around further refactoring, other changes look good to me.
| allSuccessful = false; | ||
| } | ||
|
|
||
| private boolean hadFailures() { |
Contributor
There was a problem hiding this comment.
RolesRetrievalResult#isFailure()
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
Outdated
Show resolved
Hide resolved
bizybot
approved these changes
Oct 5, 2018
Contributor
bizybot
left a comment
There was a problem hiding this comment.
Small change else LGTM, Thank you for the iteration.
...security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
Show resolved
Hide resolved
jkakavas
reviewed
Oct 5, 2018
| private final Set<RoleDescriptor> descriptors; | ||
| private final Exception failure; | ||
|
|
||
| private RoleRetrievalResult(Set<RoleDescriptor> descriptors, Exception failure) { |
| failure = true; | ||
| } | ||
|
|
||
| private boolean isFailure() { |
Contributor
There was a problem hiding this comment.
It feels more natural to me to have a success with a default true value and an isSuccessful() method. No concrete arguments for this, just personal sense of how consumable/readable that is, so take if with a grain of salt.
| */ | ||
| if (invalidationCounter == numInvalidation.get()) { | ||
| roleCache.computeIfAbsent(roleNames, (s) -> role); | ||
| if (rolesRetrievalResult.isFailure() == false) { |
Contributor
There was a problem hiding this comment.
I think merging the two if will not hurt readability.
| this.customRolesProviders = Collections.unmodifiableList(rolesProviders); | ||
| CacheBuilder<String, Boolean> nlcBuilder = CacheBuilder.builder(); | ||
| final int nlcCacheSize = NEGATIVE_LOOKUP_CACHE_SIZE_SETTING.get(settings); | ||
| if (cacheSize >= 0) { |
Member
Author
|
@elasticmachine run packaging tests |
Member
Author
|
run gradle build tests |
jaymode
added a commit
that referenced
this pull request
Oct 15, 2018
Security caches the result of role lookups and negative lookups are cached indefinitely. In the case of transient failures this leads to a bad experience as the roles could truly exist. The CompositeRolesStore needs to know if a failure occurred in one of the roles stores in order to make the appropriate decision as it relates to caching. In order to provide this information to the CompositeRolesStore, the return type of methods to retrieve roles has changed to a new class, RoleRetrievalResult. This class provides the ability to pass back an exception to the roles store. This exception does not mean that a request should be failed but instead serves as a signal to the roles store that missing roles should not be cached and neither should the combined role if there are missing roles. As part of this, the negative lookup cache was also changed from an unbounded cache to a cache with a configurable limit. Relates #33205
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
Oct 15, 2018
* master: Do not update number of replicas on no indices (elastic#34481) Core: Remove two methods from AbstractComponent (elastic#34336) Use RoleRetrievalResult for better caching (elastic#34197) Revert "Search: Fix spelling mistake in Javadoc (elastic#34480)" Search: Fix spelling mistake in Javadoc (elastic#34480) Docs: improve formatting of Query String Query doc page (elastic#34432) Tests: Handle epoch date formatters edge cases (elastic#34437) Test: Fix running with external cluster Fix handling of empty keyword in terms aggregation (elastic#34457) [DOCS] Fix tag in SecurityDocumentationIT [Monitoring] Add additional necessary mappings for apm-server (elastic#34392) SCRIPTING: Move Aggregation Script Context to its own class (elastic#33820) MINOR: Remove Deadcode in ExpressionTermSetQuery (elastic#34442) HLRC: Get SSL Certificates API (elastic#34135)
kcm
pushed a commit
that referenced
this pull request
Oct 30, 2018
Security caches the result of role lookups and negative lookups are cached indefinitely. In the case of transient failures this leads to a bad experience as the roles could truly exist. The CompositeRolesStore needs to know if a failure occurred in one of the roles stores in order to make the appropriate decision as it relates to caching. In order to provide this information to the CompositeRolesStore, the return type of methods to retrieve roles has changed to a new class, RoleRetrievalResult. This class provides the ability to pass back an exception to the roles store. This exception does not mean that a request should be failed but instead serves as a signal to the roles store that missing roles should not be cached and neither should the combined role if there are missing roles. As part of this, the negative lookup cache was also changed from an unbounded cache to a cache with a configurable limit. Relates #33205
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security caches the result of role lookups and negative lookups are
cached indefinitely. In the case of transient failures this leads to a
bad experience as the roles could truly exist. The CompositeRolesStore
needs to know if a failure occurred in one of the roles stores in order
to make the appropriate decision as it relates to caching. In order to
provide this information to the CompositeRolesStore, the return type of
methods to retrieve roles has changed to a new class,
RoleRetrievalResult. This class provides the ability to pass back an
exception to the roles store. This exception does not mean that a
request should be failed but instead serves as a signal to the roles
store that missing roles should not be cached and neither should the
combined role if there are missing roles.
As part of this, the negative lookup cache was also changed from an
unbounded cache to a cache with a configurable limit.
Relates #33205