Add setting to disable using ttl for cache

neo4j · Nov 1, 2017 · 87b3834 · 87b3834
1 parent 3143120
commit 87b3834
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 15 deletions.
diff --git a/...ity/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java b/...ity/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java
@@ -216,8 +216,9 @@ private static AuthenticationStrategy createAuthenticationStrategy( Config confi
     private static CacheManager createCacheManager( Config config )
     {
         long ttl = config.get( SecuritySettings.auth_cache_ttl ).toMillis();
+        boolean use_ttl = config.get( SecuritySettings.auth_cache_use_ttl );
         int maxCapacity = config.get( SecuritySettings.auth_cache_max_capacity );
-        return new ShiroCaffeineCache.Manager( Ticker.systemTicker(), ttl, maxCapacity );
+        return new ShiroCaffeineCache.Manager( Ticker.systemTicker(), ttl, maxCapacity, use_ttl );
     }
 
     private static List<PluginRealm> createPluginRealms(

diff --git a/.../security/src/main/java/org/neo4j/server/security/enterprise/auth/ShiroCaffeineCache.java b/.../security/src/main/java/org/neo4j/server/security/enterprise/auth/ShiroCaffeineCache.java
@@ -38,23 +38,27 @@ class ShiroCaffeineCache<K, V> implements Cache<K,V>
 {
     private final com.github.benmanes.caffeine.cache.Cache<K,V> caffCache;
 
-    ShiroCaffeineCache( Ticker ticker, long ttl, int maxCapacity )
+    ShiroCaffeineCache( Ticker ticker, long ttl, int maxCapacity, boolean use_ttl )
     {
-        this( ticker, ForkJoinPool.commonPool(), ttl, maxCapacity );
+        this( ticker, ForkJoinPool.commonPool(), ttl, maxCapacity, use_ttl );
     }
 
-    ShiroCaffeineCache( Ticker ticker, Executor maintenanceExecutor, long ttl, int maxCapacity )
+    ShiroCaffeineCache( Ticker ticker, Executor maintenanceExecutor, long ttl, int maxCapacity, boolean use_ttl )
     {
         if ( ttl <= 0 )
         {
             throw new IllegalArgumentException( "TTL must be larger than zero." );
         }
-        caffCache = Caffeine.newBuilder()
-                .maximumSize( maxCapacity )
-                .expireAfterWrite( ttl, TimeUnit.MILLISECONDS )
-                .executor( maintenanceExecutor )
-                .ticker( ticker )
-                .build();
+
+        Caffeine<Object,Object> builder = Caffeine.newBuilder()
+                                                  .maximumSize( maxCapacity )
+                                                  .executor( maintenanceExecutor )
+                                                  .ticker( ticker );
+        if ( use_ttl )
+        {
+            builder.expireAfterWrite( ttl, TimeUnit.MILLISECONDS );
+        }
+        caffCache = builder.build();
     }
 
     @Override
@@ -105,12 +109,14 @@ static class Manager implements CacheManager
         private final Ticker ticker;
         private final long ttl;
         private final int maxCapacity;
+        private boolean use_ttl;
 
-        Manager( Ticker ticker, long ttl, int maxCapacity )
+        Manager( Ticker ticker, long ttl, int maxCapacity, boolean use_ttl )
         {
             this.ticker = ticker;
             this.ttl = ttl;
             this.maxCapacity = maxCapacity;
+            this.use_ttl = use_ttl;
             caches = new HashMap<>();
         }
 
@@ -120,7 +126,7 @@ public <K, V> Cache<K,V> getCache( String s ) throws CacheException
             //noinspection unchecked
             return (Cache<K,V>) caches.computeIfAbsent( s, ignored -> ttl <= 0 ?
                     new NullCache() :
-                    new ShiroCaffeineCache<K,V>( ticker, ttl, maxCapacity ) );
+                    new ShiroCaffeineCache<K,V>( ticker, ttl, maxCapacity, use_ttl ) );
         }
     }
 

diff --git a/...ty/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java b/...ty/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java
@@ -270,6 +270,12 @@ public class SecuritySettings implements LoadableConfig
     public static final Setting<Duration> auth_cache_ttl =
             setting( "dbms.security.auth_cache_ttl", DURATION, "10m" );
 
+    @Description( "Enable time-based eviction of the authentication and authorization info cache for " +
+                  "external auth providers (LDAP or plugin). Disabling this setting will make the cache " +
+                  "live forever and only be evicted when `dbms.security.auth_cache_max_capacity` is exceeded." )
+    public static final Setting<Boolean> auth_cache_use_ttl =
+            setting( "dbms.security.auth_cache_use_ttl", BOOLEAN, "true" );
+
     @Description( "The maximum capacity for authentication and authorization caches (respectively)." )
     public static final Setting<Integer> auth_cache_max_capacity =
             setting( "dbms.security.auth_cache_max_capacity", INTEGER, "10000" );

diff --git a/...src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java b/...src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java
@@ -163,6 +163,7 @@ public void setup()
         when( mockLog.isDebugEnabled() ).thenReturn( true );
         when( config.get( SecuritySettings.auth_cache_ttl ) ).thenReturn( Duration.ZERO );
         when( config.get( SecuritySettings.auth_cache_max_capacity ) ).thenReturn( 10 );
+        when( config.get( SecuritySettings.auth_cache_use_ttl ) ).thenReturn( true );
         when( config.get( SecuritySettings.security_log_successful_authentication ) ).thenReturn( false );
         when( config.get( GraphDatabaseSettings.auth_max_failed_attempts ) ).thenReturn( 3 );
     }

diff --git a/...ise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java b/...ise/security/src/test/java/org/neo4j/server/security/enterprise/auth/LdapCachingTest.java
@@ -82,7 +82,7 @@ public void setup() throws Throwable
 
         fakeTicker = new FakeTicker();
         authManager = new MultiRealmAuthManager( internalFlatFileRealm, realms,
-                new ShiroCaffeineCache.Manager( fakeTicker::read, 100, 10), securityLog, false );
+                new ShiroCaffeineCache.Manager( fakeTicker::read, 100, 10, true ), securityLog, false );
         authManager.init();
         authManager.start();
 

diff --git a/...urity/src/test/java/org/neo4j/server/security/enterprise/auth/ShiroCaffeineCacheTest.java b/...urity/src/test/java/org/neo4j/server/security/enterprise/auth/ShiroCaffeineCacheTest.java
@@ -41,15 +41,15 @@ public class ShiroCaffeineCacheTest
     public void setUp()
     {
         fakeTicker = new FakeTicker();
-        cache = new ShiroCaffeineCache<>( fakeTicker::read, Runnable::run, TTL, 5 );
+        cache = new ShiroCaffeineCache<>( fakeTicker::read, Runnable::run, TTL, 5, true );
     }
 
     @Test
     public void shouldFailToCreateAuthCacheForTTLZero()
     {
         try
         {
-            new ShiroCaffeineCache<>( fakeTicker::read, Runnable::run, 0, 5 );
+            new ShiroCaffeineCache<>( fakeTicker::read, Runnable::run, 0, 5, true );
             fail("Expected IllegalArgumentException for a TTL of 0");
         }
         catch ( IllegalArgumentException e )