FC-307 - Performance problem with roles many members

apache · Jan 3, 2022 · 4e2bcebb6dc41dc12327505b06ae78ef936bc2b3 · 4e2bceb
1 parent 55a361f
commit 4e2bcebb6dc41dc12327505b06ae78ef936bc2b3
Showing 5 changed files with 71 additions and 10 deletions.
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
@@ -378,7 +378,7 @@ public void assignUser( UserRole uRole ) throws SecurityException
 
         // Get the default constraints from role:
         role.setContextId( this.contextId );
-        Role validRole = roleP.read( role );
+        Role validRole = roleP.readConstraints( role );
         // if the input role entity attribute doesn't have temporal constraints set, copy from the role declaration:
         ConstraintUtil.validateOrCopy( validRole, uRole );
         // Assign the Role data to User:
@@ -412,7 +412,7 @@ public void enableRoleConstraint( Role role, RoleConstraint roleConstraint )
         String propValue = roleConstraint.getKey();
         VUtil.assertNotNull( propValue, GlobalErrIds.ROLE_CONSTRAINT_KEY_NULL, CLS_NM + methodName );
         // Verify the role exists:
-        roleP.read( role );
+        roleP.readConstraints( role );
         Properties props = new Properties();
         props.setProperty( propKey, propValue );
         // Retrieve parameters from the config node stored in target LDAP DIT:
@@ -743,7 +743,7 @@ public void grantPermission( Permission perm, Role role ) throws SecurityExcepti
         else
         {
             AdminUtil.canGrant( perm.getAdminSession(), role, perm, contextId );
-            roleP.read( role );
+            roleP.readConstraints( role );
         }
         permP.grant( perm, role );
     }
@@ -814,7 +814,7 @@ public void addDescendant( Role parentRole, Role childRole ) throws SecurityExce
         // make sure the parent role is already there:
         Role role = new Role( parentRole.getName() );
         role.setContextId( this.contextId );
-        roleP.read( role );
+        roleP.readConstraints( role );
         RoleUtil.getInstance().validateRelationship( childRole, parentRole, false );
         childRole.setParent( parentRole.getName() );
         roleP.add( childRole );
@@ -837,7 +837,7 @@ public void addAscendant( Role childRole, Role parentRole ) throws SecurityExcep
         // make sure the child role is already there:
         Role role = new Role( childRole.getName() );
         role.setContextId( this.contextId );
-        role = roleP.read( role );
+        role = roleP.readConstraints( role );
         role.setContextId( this.contextId );
         RoleUtil.getInstance().validateRelationship( childRole, parentRole, false );
         roleP.add( parentRole );
@@ -867,11 +867,11 @@ public void addInheritance( Role parentRole, Role childRole ) throws SecurityExc
         // make sure the parent role is already there:
         Role pRole = new Role( parentRole.getName() );
         pRole.setContextId( this.contextId );
-        roleP.read( pRole );
+        roleP.readConstraints( pRole );
         // make sure the child role is already there:
         Role cRole = new Role( childRole.getName() );
         cRole.setContextId( this.contextId );
-        cRole = roleP.read( cRole );
+        cRole = roleP.readConstraints( cRole );
         RoleUtil.getInstance().validateRelationship( childRole, parentRole, false );
         RoleUtil.getInstance().updateHier( this.contextId, new Relationship( childRole.getName().toUpperCase(),
             parentRole.getName().toUpperCase() ), Hier.Op.ADD );

diff --git a/src/main/java/org/apache/directory/fortress/core/impl/PermP.java b/src/main/java/org/apache/directory/fortress/core/impl/PermP.java
@@ -697,7 +697,7 @@ private void validate( Permission pOp, boolean isUpdate )
                 {
                     Role role = new Role( roleNm );
                     role.setContextId( pOp.getContextId() );
-                    rp.read( role );
+                    rp.readConstraints( role );
                 }
             }
         }

diff --git a/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java
@@ -117,7 +117,7 @@ final class RoleDAO extends LdapDataProvider implements PropertyProvider<Role>,
     static final boolean IS_RFC2307 = Config.getInstance().getProperty( GlobalIds.RFC2307_PROP ) != null && Config.getInstance().getProperty( GlobalIds.RFC2307_PROP ).equalsIgnoreCase( "true" ) ? true : false;
 
     private static final String[] ROLE_ATRS =
-        {
+    {
             GlobalIds.FT_IID,
             ROLE_NM,
             SchemaConstants.DESCRIPTION_AT,
@@ -128,6 +128,13 @@ final class RoleDAO extends LdapDataProvider implements PropertyProvider<Role>,
             IS_RFC2307 ? GlobalIds.GID_NUMBER : null
     };
 
+    private static final String[] ROLE_CONSTRAINTS =
+    {
+            ROLE_NM,
+            GlobalIds.CONSTRAINT,
+            GlobalIds.PARENT_NODES
+    };
+
     /**
      * Defines the object class structure used within Fortress Role processing.
      */
@@ -456,6 +463,46 @@ Role getRole( Role role )
     }
 
 
+    Role getConstraints( Role role )
+        throws FinderException
+    {
+        Role entity = null;
+        LdapConnection ld = null;
+        String dn = getDn( role.getName(), role.getContextId() );
+
+        try
+        {
+            ld = getAdminConnection();
+            Entry findEntry = read( ld, dn, ROLE_CONSTRAINTS );
+            if ( findEntry != null )
+            {
+                entity = unloadLdapEntry( findEntry, 0, role.getContextId() );
+            }
+            if ( entity == null )
+            {
+                String warning = "getConstraints no entry found dn [" + dn + "]";
+                throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
+            }
+        }
+        catch ( LdapNoSuchObjectException e )
+        {
+            String warning = "getConstraints Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
+            throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
+        }
+        catch ( LdapException e )
+        {
+            String error = "getConstraints dn [" + dn + "] LEXCD=" + e;
+            throw new FinderException( GlobalErrIds.ROLE_READ_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
     /**
      * @param role
      * @return

diff --git a/src/main/java/org/apache/directory/fortress/core/impl/RoleP.java b/src/main/java/org/apache/directory/fortress/core/impl/RoleP.java
@@ -75,6 +75,20 @@ Role read( Role role ) throws SecurityException
     }
 
 
+    /**
+     * Return a fully populated Role entity for a given RBAC role name.  If matching record not found a
+     * SecurityException will be thrown.
+     *
+     * @param role contains full role name for RBAC role in directory.
+     * @return Role entity containing consraint attributes associated with Role in directory.
+     * @throws SecurityException in the event Role not found or DAO search error.
+     */
+    Role readConstraints( Role role ) throws SecurityException
+    {
+        return rDao.getConstraints( role );
+    }
+
+
     /**
      * Takes a search string that contains full or partial RBAC Role name in directory.
      *

diff --git a/src/main/java/org/apache/directory/fortress/core/impl/SdP.java b/src/main/java/org/apache/directory/fortress/core/impl/SdP.java
@@ -204,7 +204,7 @@ private void validate( SDSet entity )
                     // Ensure the name exists:
                     Role role = new Role( key );
                     role.setContextId( entity.getContextId() );
-                    rp.read( role );
+                    rp.readConstraints( role );
                 }
             }
         }