apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[release-11.6.3] RBAC: Dont additionally cache all users permissions (#106146)

Browse Source 
RBAC: Don't additionally cache all users permissions (#105607)

* RBAC: Don't additionally cache all users permissions

* remove unused tests

(cherry picked from commit cfba630f5c)
pull/106233/head
Alexander Zobnin 1 month ago committed by GitHub
parent 1748a14f54
commit e0ca1e5b1c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 0 additions and 78 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      pkg/services/accesscontrol/acimpl/service.go
  2. 4
      pkg/services/accesscontrol/cacheutils.go
  3. 66
      pkg/services/accesscontrol/cacheutils_test.go

8
pkg/services/accesscontrol/acimpl/service.go
Unescape View File

@ -251,11 +251,6 @@ func (s *Service) getCachedUserPermissions(ctx context.Context, user identity.Re
ctx, span := tracer.Start(ctx, "accesscontrol.acimpl.getCachedUserPermissions") ctx, span := tracer.Start(ctx, "accesscontrol.acimpl.getCachedUserPermissions")
defer span.End() defer span.End()
cacheKey := accesscontrol.GetUserPermissionCacheKey(user)
if cachedPermissions, ok := s.cache.Get(cacheKey); ok {
return cachedPermissions.([]accesscontrol.Permission), nil
}
permissions, err := s.getCachedBasicRolesPermissions(ctx, user, options) permissions, err := s.getCachedBasicRolesPermissions(ctx, user, options)
if err != nil { if err != nil {
return nil, err return nil, err
@ -271,9 +266,7 @@ func (s *Service) getCachedUserPermissions(ctx context.Context, user identity.Re
if err != nil { if err != nil {
return nil, err return nil, err
} }
permissions = append(permissions, userManagedPermissions...) permissions = append(permissions, userManagedPermissions...)
s.cache.Set(cacheKey, permissions, cacheTTL)
span.SetAttributes(attribute.Int("num_permissions", len(permissions))) span.SetAttributes(attribute.Int("num_permissions", len(permissions)))
return permissions, nil return permissions, nil
@ -398,7 +391,6 @@ func (s *Service) getCachedTeamsPermissions(ctx context.Context, user identity.R
} }
func (s *Service) ClearUserPermissionCache(user identity.Requester) { func (s *Service) ClearUserPermissionCache(user identity.Requester) {
s.cache.Delete(accesscontrol.GetUserPermissionCacheKey(user))
s.cache.Delete(accesscontrol.GetUserDirectPermissionCacheKey(user)) s.cache.Delete(accesscontrol.GetUserDirectPermissionCacheKey(user))
} }

4
pkg/services/accesscontrol/cacheutils.go
Unescape View File

@ -30,10 +30,6 @@ func (s *SearchOptions) HashString() (string, error) {
return base64.StdEncoding.EncodeToString(h.Sum(nil)), nil return base64.StdEncoding.EncodeToString(h.Sum(nil)), nil
} }
func GetUserPermissionCacheKey(user identity.Requester) string {
return fmt.Sprintf("rbac-permissions-%s", user.GetCacheKey())
}
func GetSearchPermissionCacheKey(log log.Logger, user identity.Requester, searchOptions SearchOptions) (string, error) { func GetSearchPermissionCacheKey(log log.Logger, user identity.Requester, searchOptions SearchOptions) (string, error) {
searchHash, err := searchOptions.HashString() searchHash, err := searchOptions.HashString()
if err != nil { if err != nil {

66
pkg/services/accesscontrol/cacheutils_test.go
Unescape View File

@ -6,78 +6,12 @@ import (
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
claims "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/user" "github.com/grafana/grafana/pkg/services/user"
) )
var testLogger = log.New("test") var testLogger = log.New("test")
func TestPermissionCacheKey(t *testing.T) {
testcases := []struct {
name string
signedInUser *user.SignedInUser
expected string
}{
{
name: "should return correct key for user",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-user-1",
},
{
name: "should return correct key for api key",
signedInUser: &user.SignedInUser{
OrgID: 1,
ApiKeyID: 1,
IsServiceAccount: false,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-api-key-1",
},
{
name: "should return correct key for service account",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
IsServiceAccount: true,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-service-account-1",
},
{
name: "should return correct key for matching a service account with userId -1",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: -1,
IsServiceAccount: true,
FallbackType: claims.TypeUser, // NOTE, this is still a service account!
},
expected: "rbac-permissions-1-service-account--1",
},
{
name: "should use org role if no unique id",
signedInUser: &user.SignedInUser{
OrgID: 1,
OrgRole: org.RoleNone,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-user-None",
},
}
for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
assert.Equal(t, tc.expected, GetUserPermissionCacheKey(tc.signedInUser))
})
}
}
func TestGetSearchPermissionCacheKey(t *testing.T) { func TestGetSearchPermissionCacheKey(t *testing.T) {
keyInputs := []struct { keyInputs := []struct {
signedInUser *user.SignedInUser signedInUser *user.SignedInUser

Write Preview
Loading…
Cancel
Save