From b4fb97c886ab8f204129d42abb7703c4d30b5dae Mon Sep 17 00:00:00 2001 From: Abhishek Kumar Date: Fri, 4 Oct 2024 16:50:09 +0530 Subject: [PATCH] change in account role caching Signed-off-by: Abhishek Kumar --- .../acl/DynamicRoleBasedAPIAccessChecker.java | 36 +++++++------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java index 5933a965c2c..561d1102611 100644 --- a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java +++ b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java @@ -51,7 +51,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API private List services; private Map> annotationRoleBasedApisMap = new HashMap>(); - final private LazyCache>> accountRolePermissionsCache; + final private LazyCache accountCache; final private LazyCache>> rolePermissionsCache; private static final Logger LOGGER = Logger.getLogger(DynamicRoleBasedAPIAccessChecker.class.getName()); @@ -61,8 +61,8 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API for (RoleType roleType : RoleType.values()) { annotationRoleBasedApisMap.put(roleType, new HashSet()); } - accountRolePermissionsCache = new LazyCache<>(32, 60, - this::getAccountRolePermissions); + accountCache = new LazyCache<>(32, 60, + this::getAccountFromId); rolePermissionsCache = new LazyCache<>(32, 60, this::getRolePermissions); } @@ -110,22 +110,9 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API annotationRoleBasedApisMap.get(role.getRoleType()).contains(apiName); } - protected Pair> getAccountRolePermissions(long accountId) { - LOGGER.debug("RolePermissions not available in cache for-----------------------------" + accountId); - Account account = accountService.getAccount(accountId); - if (account == null) { - return null; - } - final Role accountRole = roleService.findRole(account.getRoleId()); - if (accountRole == null || accountRole.getId() < 1L) { - return new Pair<>(null, null); - } - - if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) { - return new Pair<>(accountRole, null); - } - - return new Pair<>(accountRole, roleService.findAllPermissionsBy(accountRole.getId())); + protected Account getAccountFromId(long accountId) { + LOGGER.debug("Account not available in cache for-----------------------------" + accountId); + return accountService.getAccount(accountId); } protected Pair> getRolePermissions(long roleId) { @@ -147,19 +134,20 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API if (!isEnabled()) { return true; } - Pair> accountRoleAndPermissions = accountRolePermissionsCache.get(user.getAccountId()); - if (accountRoleAndPermissions == null) { + Account account = accountCache.get(user.getAccountId()); + if (account == null) { throw new PermissionDeniedException(String.format("Account for user id [%s] cannot be found", user.getUuid())); } - final Role accountRole = accountRoleAndPermissions.first(); - if (accountRoleAndPermissions.first() == null) { + Pair> roleAndPermissions = rolePermissionsCache.get(account.getRoleId()); + final Role accountRole = roleAndPermissions.first(); + if (accountRole == null) { throw new PermissionDeniedException(String.format("Account role for user id [%s] cannot be found.", user.getUuid())); } if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) { LOGGER.info(String.format("Account for user id [%s] is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid())); return true; } - List allPermissions = accountRoleAndPermissions.second(); + List allPermissions = roleAndPermissions.second(); if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) { return true; }