cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksei Zotov (Jira)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-16404) Provide a nodetool way of invalidating auth caches
Date Sat, 10 Jul 2021 09:09:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-16404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17378427#comment-17378427
] 

Aleksei Zotov commented on CASSANDRA-16404:
-------------------------------------------

[~blerer]

Thanks for checking the code!
{quote}I did not realized that the JMX interface for that part of the code tend to be nested
within the implementation classes. So I would do the same despite what I said earlier.
{quote}
I've given it a try and realized that it causes cyclic inheritance:
{code:java}
public class RolesCache implements RolesCache.RolesCacheMBean
{
    ...

    public static interface RolesCacheMBean extends AuthCacheMBean
    {
    ...
    }
}
{code}
and it is not compiling.

Similar approach works for other caches because they have another structure:
{code:java}
public class SomeHolderClass
{
    ...

    public static class RolesCache implements SomeClass.RolesCacheMBean
    {
    ...
    }

    public static interface RolesCacheMBean extends AuthCacheMBean
    {
    ...
    }
}
{code}
I see the following potential ways to proceed:
 1. keep everything as is - that's what I'm inclined to.
 2. introduce "holder" classes (similarly like we have for other caches) - I do not like it
because it will lead to many changes (that we try to prevent without a real need). Also such
holder classes without additional logic look weird and make not much sense.
 3. having interface in the same file, but non-public, like:
{code:java}
public class RolesCache implements RolesCache.RolesCacheMBean
{
    ...
}

interface RolesCacheMBean extends AuthCacheMBean
{
...
}
{code}
also does not seem to be working because the interface definition should be public to be available
from {{NodeProbe}}.

I see no other obvious ways to have it simple and working other than the current approach.
Your suggestions will be much appreciated. Please, let me know your thoughts.

> Provide a nodetool way of invalidating auth caches
> --------------------------------------------------
>
>                 Key: CASSANDRA-16404
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16404
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Authorization
>            Reporter: Sumanth Pasupuleti
>            Assignee: Aleksei Zotov
>            Priority: Normal
>             Fix For: 4.x
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> We currently have nodetool commands to invalidate certain caches like KeyCache, RowCache
and CounterCache. 
> Being able to invalidate auth caches as well can come in handy in situations where, critical
backend auth changes may need to be in effect right away for all the connections, especially
in configurations where cache validity is chosen to be for a longer duration. An example can
be that an authenticated user "User1" is no longer authorized to access a table resource "table1"
and it is vital that this change is reflected right away, without having to wait for cache
expiry/refresh to trigger.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message