You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by st...@apache.org on 2018/10/25 12:09:32 UTC
svn commit: r1844824 - in /jackrabbit/oak/trunk:
oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/
oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/
oak-core/src/main/java/org/apache/jackrabbit/oak/security...
Author: stillalex
Date: Thu Oct 25 12:09:32 2018
New Revision: 1844824
URL: http://svn.apache.org/viewvc?rev=1844824&view=rev
Log:
OAK-7860 Make PermissionEntryCache more resilient against OOME
Added:
jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/CanReadNonExisting.java (with props)
Modified:
jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PrincipalPermissionEntries.java
Modified: jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java?rev=1844824&r1=1844823&r2=1844824&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java (original)
+++ jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java Thu Oct 25 12:09:32 2018
@@ -48,6 +48,7 @@ import org.apache.jackrabbit.oak.benchma
import org.apache.jackrabbit.oak.benchmark.authentication.external.SyncAllUsersTest;
import org.apache.jackrabbit.oak.benchmark.authentication.external.SyncExternalUsersTest;
import org.apache.jackrabbit.oak.benchmark.authorization.AceCreationTest;
+import org.apache.jackrabbit.oak.benchmark.authorization.CanReadNonExisting;
import org.apache.jackrabbit.oak.benchmark.wikipedia.WikipediaImport;
import org.apache.jackrabbit.oak.fixture.JackrabbitRepositoryFixture;
import org.apache.jackrabbit.oak.fixture.OakFixture;
@@ -492,7 +493,8 @@ public class BenchmarkRunner {
new BundlingNodeTest(),
new PersistentCacheTest(statsProvider),
new StringWriteTest(),
- new BasicWriteTest()
+ new BasicWriteTest(),
+ new CanReadNonExisting()
};
Set<String> argset = Sets.newHashSet(nonOption.values(options));
Added: jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/CanReadNonExisting.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/CanReadNonExisting.java?rev=1844824&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/CanReadNonExisting.java (added)
+++ jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/CanReadNonExisting.java Thu Oct 25 12:09:32 2018
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.benchmark.authorization;
+
+import static javax.jcr.security.Privilege.JCR_READ;
+import static org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils.addAccessControlEntry;
+import static org.junit.Assert.assertFalse;
+
+import javax.jcr.Node;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.oak.benchmark.AbstractTest;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+
+/**
+ * Tests the behavior of the permission cache when faced with lots of paths that
+ * have no relevant policies for the current session (but may have other
+ * policies). For more info see OAK-7860.
+ */
+public class CanReadNonExisting extends AbstractTest {
+
+ static final String uid = "u0";
+
+ static final int contentNodes = 10000;
+
+ @Override
+ public void beforeSuite() throws Exception {
+ super.beforeSuite();
+
+ //PermissionEntryProviderImpl#DEFAULT_SIZE + delta
+ int groupCount = 255;
+
+ Session s = loginAdministrative();
+ addAccessControlEntry(s, "/", EveryonePrincipal.getInstance(), new String[] { Privilege.JCR_READ }, false);
+
+ // PermissionCacheBuilder#MAX_PATHS_SIZE + 1
+ int extraPolicies = 11;
+ Node extras = s.getNode("/").addNode("extras");
+ for (int i = 0; i < extraPolicies; i++) {
+ extras.addNode(i + "");
+ }
+ s.save();
+
+ try {
+ UserManager userManager = ((JackrabbitSession) s).getUserManager();
+
+ User eye = userManager.createUser("eye", "eye");
+ User u = userManager.createUser(uid, uid);
+ addAccessControlEntry(s, u.getPath(), u.getPrincipal(), new String[] { JCR_READ }, true);
+ for (int i = 0; i < extraPolicies; i++) {
+ addAccessControlEntry(s, "/extras/" + i, u.getPrincipal(), new String[] { JCR_READ }, true);
+ }
+
+ for (int i = 1; i <= groupCount; i++) {
+ Group g = userManager.createGroup(new PrincipalImpl("g" + i));
+ g.addMember(u);
+ addAccessControlEntry(s, g.getPath(), g.getPrincipal(), new String[] { JCR_READ }, true);
+ for (int j = 0; j < extraPolicies; j++) {
+ addAccessControlEntry(s, "/extras/" + j, g.getPrincipal(), new String[] { JCR_READ }, true);
+ }
+ s.save();
+ }
+
+ Node content = s.getNode("/").addNode("content");
+ for (int i = 0; i < contentNodes; i++) {
+ String p = content.addNode(i + "").getPath();
+ addAccessControlEntry(s, p, eye.getPrincipal(), new String[] { JCR_READ }, true);
+ }
+ s.save();
+
+ } finally {
+ s.save();
+ s.logout();
+ }
+ System.out.println("setup done.");
+ }
+
+ @Override
+ public void runTest() throws Exception {
+ Session s = null;
+ try {
+ s = login(new SimpleCredentials(uid, uid.toCharArray()));
+ for (int i = 0; i < contentNodes; i++) {
+ assertFalse(s.nodeExists("/content/" + i));
+ }
+ } finally {
+ if (s != null) {
+ s.logout();
+ }
+ }
+ }
+}
Propchange: jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authorization/CanReadNonExisting.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PrincipalPermissionEntries.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PrincipalPermissionEntries.java?rev=1844824&r1=1844823&r2=1844824&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PrincipalPermissionEntries.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PrincipalPermissionEntries.java Thu Oct 25 12:09:32 2018
@@ -16,12 +16,12 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
+import static java.util.Collections.emptySet;
+
import java.util.Collection;
-import java.util.Collections;
import java.util.HashMap;
-import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.Map;
-import java.util.Set;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
@@ -31,6 +31,11 @@ import org.jetbrains.annotations.Nullabl
*/
class PrincipalPermissionEntries {
+ /**
+ * max size of the emptyPaths cache.
+ */
+ private static int MAX_SIZE = Integer.getInteger("oak.PrincipalPermissionEntries.maxSize", 1000);
+
private final long expectedSize;
/**
@@ -42,7 +47,7 @@ class PrincipalPermissionEntries {
* map of permission entries, accessed by path
*/
private Map<String, Collection<PermissionEntry>> entries = new HashMap<>();
- private Set<String> emptyPaths = new HashSet();
+ private final Map<String, Boolean> emptyPaths;
PrincipalPermissionEntries() {
this(Long.MAX_VALUE);
@@ -50,7 +55,13 @@ class PrincipalPermissionEntries {
PrincipalPermissionEntries(long expectedSize) {
this.expectedSize = expectedSize;
- fullyLoaded = (expectedSize == 0);
+ this.fullyLoaded = (expectedSize == 0);
+ this.emptyPaths = new LinkedHashMap<String, Boolean>() {
+ @Override
+ protected boolean removeEldestEntry(Map.Entry<String, Boolean> eldest) {
+ return size() > MAX_SIZE;
+ }
+ };
}
long getSize() {
@@ -72,7 +83,7 @@ class PrincipalPermissionEntries {
@Nullable
Collection<PermissionEntry> getEntriesByPath(@NotNull String path) {
- return (emptyPaths.contains(path)) ? Collections.emptySet() : entries.get(path);
+ return emptyPaths.containsKey(path) ? emptySet() : entries.get(path);
}
void putEntriesByPath(@NotNull String path, @NotNull Collection<PermissionEntry> pathEntries) {
@@ -83,7 +94,7 @@ class PrincipalPermissionEntries {
}
void rememberNotAccessControlled(@NotNull String path) {
- emptyPaths.add(path);
+ emptyPaths.put(path, null);
}
void putAllEntries(@NotNull Map<String, Collection<PermissionEntry>> allEntries) {