Keep Athenz user domains lookup for 1min, per identity

author: Jon Marius Venstad <venstad@gmail.com> 2020-02-25 14:41:01 +0100
committer: Jon Marius Venstad <venstad@gmail.com> 2020-02-25 14:41:01 +0100
commit: 948b2067b93fc3634583cc5545daec4c4fd3b0b4 (patch)
tree: 5c064f49b4cd3b5348acc2c8e779425adb8db048 /controller-server
parent: 25bcc44fcf22a5e4737d6d4551b4a292bc04d4e0 (diff)
2 files changed, 22 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
index 447f9a462b1..1b033589619 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
@@ -49,4 +49,9 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory {
         return new DefaultZtsClient(URI.create(config.ztsUrl()), identityProvider);
     }
 
+    @Override
+    public boolean cacheZtsUserDomains() {
+        return true;
+    }
+
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 628d7f48c85..0b45d828407 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -1,6 +1,9 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.athenz.impl;
 
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
 import com.google.inject.Inject;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.TenantName;
@@ -36,6 +39,8 @@ import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.TimeUnit;
+import java.util.function.Function;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 
@@ -49,16 +54,22 @@ public class AthenzFacade implements AccessControl {
     private final ZmsClient zmsClient;
     private final ZtsClient ztsClient;
     private final AthenzIdentity service;
+    private final Function<AthenzIdentity, List<AthenzDomain>> userDomains;
 
     @Inject
     public AthenzFacade(AthenzClientFactory factory) {
-        this(factory.createZmsClient(), factory.createZtsClient(), factory.getControllerIdentity());
+        this.zmsClient = factory.createZmsClient();
+        this.ztsClient = factory.createZtsClient();
+        this.service = factory.getControllerIdentity();
+        this.userDomains = factory.cacheZtsUserDomains()
+                           ? CacheBuilder.newBuilder()
+                                         .expireAfterWrite(1, TimeUnit.MINUTES)
+                                         .build(CacheLoader.from(this::getUserDomains))::getUnchecked
+                           : this::getUserDomains;
     }
 
-    public AthenzFacade(ZmsClient zmsClient, ZtsClient ztsClient, AthenzIdentity identity) {
-        this.zmsClient = zmsClient;
-        this.ztsClient = ztsClient;
-        this.service = identity;
+    private List<AthenzDomain> getUserDomains(AthenzIdentity userIdentity) {
+        return ztsClient.getTenantDomains(service, userIdentity, "admin");
     }
 
     @Override
@@ -184,10 +195,9 @@ public class AthenzFacade implements AccessControl {
     // TODO jonmv: Remove
     public List<Tenant> accessibleTenants(List<Tenant> tenants, Credentials credentials) {
         AthenzIdentity identity =  ((AthenzPrincipal) credentials.user()).getIdentity();
-        List<AthenzDomain> userDomains = ztsClient.getTenantDomains(service, identity, "admin");
         return tenants.stream()
                       .filter(tenant ->    tenant.type() == Tenant.Type.user && ((UserTenant) tenant).is(identity.getName())
-                                        || tenant.type() == Tenant.Type.athenz && userDomains.contains(((AthenzTenant) tenant).domain()))
+                                        || tenant.type() == Tenant.Type.athenz && userDomains.apply(identity).contains(((AthenzTenant) tenant).domain()))
                       .collect(Collectors.toUnmodifiableList());
     }
author	Jon Marius Venstad <venstad@gmail.com>	2020-02-25 14:41:01 +0100
committer	Jon Marius Venstad <venstad@gmail.com>	2020-02-25 14:41:01 +0100
commit	948b2067b93fc3634583cc5545daec4c4fd3b0b4 (patch)
tree	5c064f49b4cd3b5348acc2c8e779425adb8db048 /controller-server
parent	25bcc44fcf22a5e4737d6d4551b4a292bc04d4e0 (diff)