Skip to content
Permalink
Browse files
FC-307 - Performance problem with roles many members
  • Loading branch information
shawnmckinney committed Jan 3, 2022
1 parent 55a361f commit 4e2bcebb6dc41dc12327505b06ae78ef936bc2b3
Showing 5 changed files with 71 additions and 10 deletions.
@@ -378,7 +378,7 @@ public void assignUser( UserRole uRole ) throws SecurityException

// Get the default constraints from role:
role.setContextId( this.contextId );
Role validRole = roleP.read( role );
Role validRole = roleP.readConstraints( role );
// if the input role entity attribute doesn't have temporal constraints set, copy from the role declaration:
ConstraintUtil.validateOrCopy( validRole, uRole );
// Assign the Role data to User:
@@ -412,7 +412,7 @@ public void enableRoleConstraint( Role role, RoleConstraint roleConstraint )
String propValue = roleConstraint.getKey();
VUtil.assertNotNull( propValue, GlobalErrIds.ROLE_CONSTRAINT_KEY_NULL, CLS_NM + methodName );
// Verify the role exists:
roleP.read( role );
roleP.readConstraints( role );
Properties props = new Properties();
props.setProperty( propKey, propValue );
// Retrieve parameters from the config node stored in target LDAP DIT:
@@ -743,7 +743,7 @@ public void grantPermission( Permission perm, Role role ) throws SecurityExcepti
else
{
AdminUtil.canGrant( perm.getAdminSession(), role, perm, contextId );
roleP.read( role );
roleP.readConstraints( role );
}
permP.grant( perm, role );
}
@@ -814,7 +814,7 @@ public void addDescendant( Role parentRole, Role childRole ) throws SecurityExce
// make sure the parent role is already there:
Role role = new Role( parentRole.getName() );
role.setContextId( this.contextId );
roleP.read( role );
roleP.readConstraints( role );
RoleUtil.getInstance().validateRelationship( childRole, parentRole, false );
childRole.setParent( parentRole.getName() );
roleP.add( childRole );
@@ -837,7 +837,7 @@ public void addAscendant( Role childRole, Role parentRole ) throws SecurityExcep
// make sure the child role is already there:
Role role = new Role( childRole.getName() );
role.setContextId( this.contextId );
role = roleP.read( role );
role = roleP.readConstraints( role );
role.setContextId( this.contextId );
RoleUtil.getInstance().validateRelationship( childRole, parentRole, false );
roleP.add( parentRole );
@@ -867,11 +867,11 @@ public void addInheritance( Role parentRole, Role childRole ) throws SecurityExc
// make sure the parent role is already there:
Role pRole = new Role( parentRole.getName() );
pRole.setContextId( this.contextId );
roleP.read( pRole );
roleP.readConstraints( pRole );
// make sure the child role is already there:
Role cRole = new Role( childRole.getName() );
cRole.setContextId( this.contextId );
cRole = roleP.read( cRole );
cRole = roleP.readConstraints( cRole );
RoleUtil.getInstance().validateRelationship( childRole, parentRole, false );
RoleUtil.getInstance().updateHier( this.contextId, new Relationship( childRole.getName().toUpperCase(),
parentRole.getName().toUpperCase() ), Hier.Op.ADD );
@@ -697,7 +697,7 @@ private void validate( Permission pOp, boolean isUpdate )
{
Role role = new Role( roleNm );
role.setContextId( pOp.getContextId() );
rp.read( role );
rp.readConstraints( role );
}
}
}
@@ -117,7 +117,7 @@ final class RoleDAO extends LdapDataProvider implements PropertyProvider<Role>,
static final boolean IS_RFC2307 = Config.getInstance().getProperty( GlobalIds.RFC2307_PROP ) != null && Config.getInstance().getProperty( GlobalIds.RFC2307_PROP ).equalsIgnoreCase( "true" ) ? true : false;

private static final String[] ROLE_ATRS =
{
{
GlobalIds.FT_IID,
ROLE_NM,
SchemaConstants.DESCRIPTION_AT,
@@ -128,6 +128,13 @@ final class RoleDAO extends LdapDataProvider implements PropertyProvider<Role>,
IS_RFC2307 ? GlobalIds.GID_NUMBER : null
};

private static final String[] ROLE_CONSTRAINTS =
{
ROLE_NM,
GlobalIds.CONSTRAINT,
GlobalIds.PARENT_NODES
};

/**
* Defines the object class structure used within Fortress Role processing.
*/
@@ -456,6 +463,46 @@ Role getRole( Role role )
}


Role getConstraints( Role role )
throws FinderException
{
Role entity = null;
LdapConnection ld = null;
String dn = getDn( role.getName(), role.getContextId() );

try
{
ld = getAdminConnection();
Entry findEntry = read( ld, dn, ROLE_CONSTRAINTS );
if ( findEntry != null )
{
entity = unloadLdapEntry( findEntry, 0, role.getContextId() );
}
if ( entity == null )
{
String warning = "getConstraints no entry found dn [" + dn + "]";
throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
}
}
catch ( LdapNoSuchObjectException e )
{
String warning = "getConstraints Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
}
catch ( LdapException e )
{
String error = "getConstraints dn [" + dn + "] LEXCD=" + e;
throw new FinderException( GlobalErrIds.ROLE_READ_FAILED, error, e );
}
finally
{
closeAdminConnection( ld );
}

return entity;
}


/**
* @param role
* @return
@@ -75,6 +75,20 @@ Role read( Role role ) throws SecurityException
}


/**
* Return a fully populated Role entity for a given RBAC role name. If matching record not found a
* SecurityException will be thrown.
*
* @param role contains full role name for RBAC role in directory.
* @return Role entity containing consraint attributes associated with Role in directory.
* @throws SecurityException in the event Role not found or DAO search error.
*/
Role readConstraints( Role role ) throws SecurityException
{
return rDao.getConstraints( role );
}


/**
* Takes a search string that contains full or partial RBAC Role name in directory.
*
@@ -204,7 +204,7 @@ private void validate( SDSet entity )
// Ensure the name exists:
Role role = new Role( key );
role.setContextId( entity.getContextId() );
rp.read( role );
rp.readConstraints( role );
}
}
}

0 comments on commit 4e2bceb

Please sign in to comment.