ISPN-5790 AuthorizationManager rework #3726
Conversation
| } | ||
| int permissionMask = requiredPermission.getMask(); | ||
| return (subjectMask & permissionMask) == permissionMask && requestedRole.map(r -> subjectACL.roles.contains(r)).orElse(true); |
There was a problem hiding this comment.
nitpick: lambda could be replaced by subjectACL.roles::contains
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
from
4b92575
to
e310c8e
Compare
tristantarrant
added
Ready for Review
and removed
Changes Required
Changes Suggested
labels
|
I have made some further changes:
|
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
from
e310c8e
to
84ed93f
Compare
|
some nitpick about
|
| private int computeHashCode() { | ||
| final int prime = 31; | ||
| int result = 1; | ||
| result = prime * result + ((cacheName == null) ? 0 : cacheName.hashCode()); |
There was a problem hiding this comment.
can the cacheName or the principalName be null?
There was a problem hiding this comment.
That is an interesting question, but I guess not a big deal either way.
|
A cache based on the Principals's name is only effective if you assume there is a limited number of principals accessing, otherwise you're risking to store a lot of data for no good reason - and probably still have a low hit rate. |
|
@Sanne not really if we assume that a principal will perform operations on the cache in bursts: you want to cache the ACL on the first op so that subsequent ops can reuse it. Set a low expiration for this case. |
|
@Sanne I see the use-case of lots of individual principals less practical / useful in the real world. |
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
2 times, most recently
from
754d61e
to
e6e534f
Compare
| /** | ||
| * Removes the internal caches from the specified set of cache names | ||
| */ | ||
| void filterPrivateCaches(Set<String> names); |
There was a problem hiding this comment.
Why the name change? The javadoc still mentions internal caches...
There was a problem hiding this comment.
The javadoc is wrong and the actual implementation was filtering the private caches :) I'll fix this
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
2 times, most recently
from
24525ca
to
eca499d
Compare
|
@danberindei ready to go ! |
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
from
eca499d
to
33204d6
Compare
|
@danberindei repushed :) |
| @@ -12,7 +12,8 @@ | |||
| */ | |||
| GlobalAuthorizationConfigurationBuilder authorization(); | |||
| /** | |||
| * Defines the timeout in milliseconds for which to cache user access roles | |||
| * Defines the timeout in milliseconds for which to cache user access roles. A value of -1 means the entries | |||
There was a problem hiding this comment.
I know this might be too late now. But was there a reason we forced this to be milliseconds and didn't just do the new common method of passing a long and a TimeUnit?
There was a problem hiding this comment.
Fixed it. Added a new method and deprecated the old one
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
from
33204d6
to
c37756d
Compare
| private SubjectACL computeSubjectACL(Subject subject, AuthorizationConfiguration configuration) { | ||
| PrincipalRoleMapper roleMapper = globalConfiguration.authorization().principalRoleMapper(); | ||
| Set<Principal> principals = subject.getPrincipals(); | ||
| Set<String> allRoles = new HashSet<>(principals.size()); |
There was a problem hiding this comment.
Couldn't there be a lot more roles than # of principals? How many principals would a subject have normally? I wonder if we just use the default constructor which sizes the array to 16 might be better?
There was a problem hiding this comment.
I would say that maybe not all principals would map to a role. The case where a principal might map to multiple roles is unlikely in my experience.
|
Just some minor things, otherwise looks good 👍 |
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
from
c37756d
to
d597935
Compare
|
@wburns I addressed your comments (unless where noted) |
|
@tristantarrant more test failures... |
|
@danberindei only one test failure is security related, but it's to do with JGroups SASL authentication, so not connected to this PR. |
- use an internal cache instead of the Cluster Registry - add a GlobalSecurityManager with the ability to flush acl caches - don't cache per-cache acl masks - add a role check in addition to the existing permission check
tristantarrant
force-pushed
the
ISPN-5790/authz_manager_rework
branch
from
d597935
to
32bf1df
Compare
|
Integrated at long last! Thanks Tristan! |
https://issues.jboss.org/browse/ISPN-5790