kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ale...@apache.org
Subject [kudu] 02/02: [authz] add scrubbing task for the privileges cache
Date Fri, 03 May 2019 01:38:58 GMT
This is an automated email from the ASF dual-hosted git repository.

alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit 754de05b8d6e513624a2a4b8cc4b5dbb00cd1e07
Author: Alexey Serbin <alexey@apache.org>
AuthorDate: Tue Apr 30 16:20:59 2019 -0700

    [authz] add scrubbing task for the privileges cache
    
    This changelist enables the periodic scrubbing thread to invalidate
    expired entries from the SentryPrivilegesFetcher's cache.  By default,
    the period of the cache's scrubbing task is 20 seconds.
    
    Change-Id: I88510fae48cf683fbfad8a11c2941a23b2af9f8b
    Reviewed-on: http://gerrit.cloudera.org:8080/13205
    Tested-by: Kudu Jenkins
    Reviewed-by: Andrew Wong <awong@cloudera.com>
---
 src/kudu/master/sentry_privileges_fetcher.cc | 31 +++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/kudu/master/sentry_privileges_fetcher.cc b/src/kudu/master/sentry_privileges_fetcher.cc
index 952b889..0242cae 100644
--- a/src/kudu/master/sentry_privileges_fetcher.cc
+++ b/src/kudu/master/sentry_privileges_fetcher.cc
@@ -128,6 +128,21 @@ DEFINE_uint32(sentry_privileges_cache_ttl_factor, 10,
               "defines the TTL of entries in the authz cache.");
 TAG_FLAG(sentry_privileges_cache_ttl_factor, advanced);
 
+DEFINE_uint32(sentry_privileges_cache_scrubbing_period_sec, 20,
+              "The interval to run the periodic task that scrubs the "
+              "privileges cache of expired entries. A value of 0 means expired "
+              "entries are only evicted when inserting new entries into a full "
+              "cache.");
+TAG_FLAG(sentry_privileges_cache_scrubbing_period_sec, advanced);
+
+DEFINE_uint32(sentry_privileges_cache_max_scrubbed_entries_per_pass, 32,
+              "Maximum number of entries in the privileges cache to process "
+              "in one pass of the periodic scrubbing task. A value of 0 means "
+              "there is no limit, i.e. all expired entries, if any, "
+              "are invalidated every time the scrubbing task runs. Note "
+              "that the cache is locked while the scrubbing task is running.");
+TAG_FLAG(sentry_privileges_cache_max_scrubbed_entries_per_pass, advanced);
+
 DECLARE_int64(authz_token_validity_seconds);
 DECLARE_string(kudu_service_name);
 DECLARE_string(server_name);
@@ -514,10 +529,20 @@ Status SentryPrivilegesFetcher::ResetCache() {
       FLAGS_sentry_privileges_cache_capacity_mb * 1024 * 1024;
   shared_ptr<AuthzInfoCache> new_cache;
   if (cache_capacity_bytes != 0) {
-    const auto ttl_sec = FLAGS_authz_token_validity_seconds *
-        FLAGS_sentry_privileges_cache_ttl_factor;
+    const auto cache_entry_ttl = MonoDelta::FromSeconds(
+        FLAGS_authz_token_validity_seconds *
+        FLAGS_sentry_privileges_cache_ttl_factor);
+
+    MonoDelta cache_scrubbing_period;  // explicitly non-initialized variable
+    if (FLAGS_sentry_privileges_cache_scrubbing_period_sec > 0) {
+      cache_scrubbing_period = std::min(cache_entry_ttl, MonoDelta::FromSeconds(
+          FLAGS_sentry_privileges_cache_scrubbing_period_sec));
+    }
+
     new_cache = make_shared<AuthzInfoCache>(
-        cache_capacity_bytes, MonoDelta::FromSeconds(ttl_sec));
+        cache_capacity_bytes, cache_entry_ttl, cache_scrubbing_period,
+        FLAGS_sentry_privileges_cache_max_scrubbed_entries_per_pass,
+        "sentry-privileges-ttl-cache");
     if (metric_entity_) {
       unique_ptr<SentryPrivilegesCacheMetrics> metrics(
           new SentryPrivilegesCacheMetrics(metric_entity_));


Mime
View raw message