diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2020-02-25 14:41:01 +0100 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2020-02-25 14:41:01 +0100 |
commit | 948b2067b93fc3634583cc5545daec4c4fd3b0b4 (patch) | |
tree | 5c064f49b4cd3b5348acc2c8e779425adb8db048 /controller-server | |
parent | 25bcc44fcf22a5e4737d6d4551b4a292bc04d4e0 (diff) |
Keep Athenz user domains lookup for 1min, per identity
Diffstat (limited to 'controller-server')
2 files changed, 22 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index 447f9a462b1..1b033589619 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -49,4 +49,9 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { return new DefaultZtsClient(URI.create(config.ztsUrl()), identityProvider); } + @Override + public boolean cacheZtsUserDomains() { + return true; + } + } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 628d7f48c85..0b45d828407 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -1,6 +1,9 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.athenz.impl; +import com.google.common.cache.CacheBuilder; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; import com.google.inject.Inject; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.TenantName; @@ -36,6 +39,8 @@ import java.util.Arrays; import java.util.List; import java.util.Optional; import java.util.Set; +import java.util.concurrent.TimeUnit; +import java.util.function.Function; import java.util.logging.Logger; import java.util.stream.Collectors; @@ -49,16 +54,22 @@ public class AthenzFacade implements AccessControl { private final ZmsClient zmsClient; private final ZtsClient ztsClient; private final AthenzIdentity service; + private final Function<AthenzIdentity, List<AthenzDomain>> userDomains; @Inject public AthenzFacade(AthenzClientFactory factory) { - this(factory.createZmsClient(), factory.createZtsClient(), factory.getControllerIdentity()); + this.zmsClient = factory.createZmsClient(); + this.ztsClient = factory.createZtsClient(); + this.service = factory.getControllerIdentity(); + this.userDomains = factory.cacheZtsUserDomains() + ? CacheBuilder.newBuilder() + .expireAfterWrite(1, TimeUnit.MINUTES) + .build(CacheLoader.from(this::getUserDomains))::getUnchecked + : this::getUserDomains; } - public AthenzFacade(ZmsClient zmsClient, ZtsClient ztsClient, AthenzIdentity identity) { - this.zmsClient = zmsClient; - this.ztsClient = ztsClient; - this.service = identity; + private List<AthenzDomain> getUserDomains(AthenzIdentity userIdentity) { + return ztsClient.getTenantDomains(service, userIdentity, "admin"); } @Override @@ -184,10 +195,9 @@ public class AthenzFacade implements AccessControl { // TODO jonmv: Remove public List<Tenant> accessibleTenants(List<Tenant> tenants, Credentials credentials) { AthenzIdentity identity = ((AthenzPrincipal) credentials.user()).getIdentity(); - List<AthenzDomain> userDomains = ztsClient.getTenantDomains(service, identity, "admin"); return tenants.stream() .filter(tenant -> tenant.type() == Tenant.Type.user && ((UserTenant) tenant).is(identity.getName()) - || tenant.type() == Tenant.Type.athenz && userDomains.contains(((AthenzTenant) tenant).domain())) + || tenant.type() == Tenant.Type.athenz && userDomains.apply(identity).contains(((AthenzTenant) tenant).domain())) .collect(Collectors.toUnmodifiableList()); } |