From dfce62020969aba6624713955caa0df2afd90a7b Mon Sep 17 00:00:00 2001 From: zhao liwei Date: Fri, 27 Nov 2020 14:29:50 +0800 Subject: [PATCH] feat(security): implement reset interface for replica access controller (#672) --- include/dsn/dist/replication/replica_envs.h | 1 + src/common/replication_common.cpp | 2 ++ src/meta/app_env_validator.cpp | 3 ++- src/replica/replica.h | 2 ++ src/replica/replica_config.cpp | 14 +++++++++++++ src/runtime/security/access_controller.h | 6 +++--- .../security/replica_access_controller.cpp | 20 +++++++++++++++++++ .../security/replica_access_controller.h | 2 ++ 8 files changed, 46 insertions(+), 4 deletions(-) diff --git a/include/dsn/dist/replication/replica_envs.h b/include/dsn/dist/replication/replica_envs.h index 5be5c26740..3b195fa3e0 100644 --- a/include/dsn/dist/replication/replica_envs.h +++ b/include/dsn/dist/replication/replica_envs.h @@ -54,6 +54,7 @@ class replica_envs static const std::string MANUAL_COMPACT_PERIODIC_TARGET_LEVEL; static const std::string MANUAL_COMPACT_PERIODIC_BOTTOMMOST_LEVEL_COMPACTION; static const std::string BUSINESS_INFO; + static const std::string REPLICA_ACCESS_CONTROLLER_ALLOWED_USERS; }; } // namespace replication diff --git a/src/common/replication_common.cpp b/src/common/replication_common.cpp index 1e9a12cb4d..77b638d126 100644 --- a/src/common/replication_common.cpp +++ b/src/common/replication_common.cpp @@ -629,6 +629,8 @@ const std::string replica_envs::ROCKSDB_CHECKPOINT_RESERVE_TIME_SECONDS( const std::string replica_envs::ROCKSDB_ITERATION_THRESHOLD_TIME_MS( "replica.rocksdb_iteration_threshold_time_ms"); const std::string replica_envs::BUSINESS_INFO("business.info"); +const std::string replica_envs::REPLICA_ACCESS_CONTROLLER_ALLOWED_USERS( + "replica_access_controller.allowed_users"); const std::string bulk_load_constant::BULK_LOAD_INFO("bulk_load_info"); const int32_t bulk_load_constant::BULK_LOAD_REQUEST_INTERVAL = 10; diff --git a/src/meta/app_env_validator.cpp b/src/meta/app_env_validator.cpp index 283ef8a485..6fea80937c 100644 --- a/src/meta/app_env_validator.cpp +++ b/src/meta/app_env_validator.cpp @@ -167,7 +167,8 @@ void app_env_validator::register_all_validators() {replica_envs::MANUAL_COMPACT_ONCE_BOTTOMMOST_LEVEL_COMPACTION, nullptr}, {replica_envs::MANUAL_COMPACT_PERIODIC_TRIGGER_TIME, nullptr}, {replica_envs::MANUAL_COMPACT_PERIODIC_TARGET_LEVEL, nullptr}, - {replica_envs::MANUAL_COMPACT_PERIODIC_BOTTOMMOST_LEVEL_COMPACTION, nullptr}}; + {replica_envs::MANUAL_COMPACT_PERIODIC_BOTTOMMOST_LEVEL_COMPACTION, nullptr}, + {replica_envs::REPLICA_ACCESS_CONTROLLER_ALLOWED_USERS, nullptr}}; } } // namespace replication diff --git a/src/replica/replica.h b/src/replica/replica.h index 8e9346cdce..84529ae086 100644 --- a/src/replica/replica.h +++ b/src/replica/replica.h @@ -127,6 +127,8 @@ class replica : public serverlet, public ref_counter, public replica_ba void update_throttle_env_internal(const std::map &envs, const std::string &key, throttling_controller &cntl); + // update allowed users for access controller + void update_ac_allowed_users(const std::map &envs); // // messages and tools from/for meta server diff --git a/src/replica/replica_config.cpp b/src/replica/replica_config.cpp index da50f7c2c8..ab3c028e80 100644 --- a/src/replica/replica_config.cpp +++ b/src/replica/replica_config.cpp @@ -39,6 +39,7 @@ #include "mutation_log.h" #include "replica_stub.h" #include "bulk_load/replica_bulk_loader.h" +#include "runtime/security/access_controller.h" #include "split/replica_split_manager.h" #include #include @@ -569,6 +570,19 @@ void replica::update_app_envs_internal(const std::map } update_throttle_envs(envs); + + update_ac_allowed_users(envs); +} + +void replica::update_ac_allowed_users(const std::map &envs) +{ + std::string allowed_users; + auto iter = envs.find(replica_envs::REPLICA_ACCESS_CONTROLLER_ALLOWED_USERS); + if (iter != envs.end()) { + allowed_users = iter->second; + } + + _access_controller->update(allowed_users); } void replica::query_app_envs(/*out*/ std::map &envs) diff --git a/src/runtime/security/access_controller.h b/src/runtime/security/access_controller.h index acaf1df427..e6f01ae920 100644 --- a/src/runtime/security/access_controller.h +++ b/src/runtime/security/access_controller.h @@ -31,10 +31,10 @@ class access_controller virtual ~access_controller() = 0; /** - * reset the access controller - * acls - the new acls to reset + * update the access controller + * acls - the new acls to update **/ - virtual void reset(const std::string &acls){}; + virtual void update(const std::string &acls){}; /** * check if the message received is allowd to do something. diff --git a/src/runtime/security/replica_access_controller.cpp b/src/runtime/security/replica_access_controller.cpp index 23310ebd22..0ae4cd5900 100644 --- a/src/runtime/security/replica_access_controller.cpp +++ b/src/runtime/security/replica_access_controller.cpp @@ -41,5 +41,25 @@ bool replica_access_controller::allowed(message_ex *msg) return true; } } + +void replica_access_controller::update(const std::string &users) +{ + { + // check to see whether we should update it or not. + utils::auto_read_lock l(_lock); + if (_env_users == users) { + return; + } + } + + std::unordered_set users_set; + utils::split_args(users.c_str(), users_set, ','); + { + utils::auto_write_lock l(_lock); + // This swap operation is in constant time + _users.swap(users_set); + _env_users = users; + } +} } // namespace security } // namespace dsn diff --git a/src/runtime/security/replica_access_controller.h b/src/runtime/security/replica_access_controller.h index c6f636cc8f..51395e9bf4 100644 --- a/src/runtime/security/replica_access_controller.h +++ b/src/runtime/security/replica_access_controller.h @@ -27,10 +27,12 @@ class replica_access_controller : public access_controller public: replica_access_controller(const std::string &name); bool allowed(message_ex *msg); + void update(const std::string &users); private: utils::rw_lock_nr _lock; // [ std::unordered_set _users; + std::string _env_users; // ] std::string _name;