IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access control: Fix searching permissions from cache (#87489)

Browse Source 
* Fix searching permissions from cache

* Write permissions to cache
This commit is contained in:
Alexander Zobnin 2024-05-08 16:08:21 +02:00 committed by GitHub
parent 41b29ff93c
commit d1c582815a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 37 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/services/accesscontrol/acimpl/service.go
View File

@ -246,7 +246,7 @@ func (s *Service) getCachedBasicRolesPermissions(ctx context.Context, user ident
} }
func (s *Service) getCachedBasicRolePermissions(ctx context.Context, role string, orgID int64, options accesscontrol.Options) ([]accesscontrol.Permission, error) { func (s *Service) getCachedBasicRolePermissions(ctx context.Context, role string, orgID int64, options accesscontrol.Options) ([]accesscontrol.Permission, error) {
key := basicRoleCacheKey(role, orgID) key := accesscontrol.GetBasicRolePermissionCacheKey(role, orgID)
getPermissionsFn := func() ([]accesscontrol.Permission, error) { getPermissionsFn := func() ([]accesscontrol.Permission, error) {
return s.getBasicRolePermissions(ctx, role, orgID) return s.getBasicRolePermissions(ctx, role, orgID)
} }
@ -257,7 +257,7 @@ func (s *Service) getCachedUserDirectPermissions(ctx context.Context, user ident
ctx, span := s.tracer.Start(ctx, "authz.getCachedUserDirectPermissions") ctx, span := s.tracer.Start(ctx, "authz.getCachedUserDirectPermissions")
defer span.End() defer span.End()
key := permissionCacheKey(user) key := accesscontrol.GetUserDirectPermissionCacheKey(user)
getUserPermissionsFn := func() ([]accesscontrol.Permission, error) { getUserPermissionsFn := func() ([]accesscontrol.Permission, error) {
return s.getUserDirectPermissions(ctx, user) return s.getUserDirectPermissions(ctx, user)
} }
@ -302,7 +302,7 @@ func (s *Service) getCachedTeamsPermissions(ctx context.Context, user identity.R
if !options.ReloadCache { if !options.ReloadCache {
miss = make([]int64, 0) miss = make([]int64, 0)
for _, teamID := range teams { for _, teamID := range teams {
key := teamCacheKey(teamID, orgID) key := accesscontrol.GetTeamPermissionCacheKey(teamID, orgID)
teamPermissions, ok := s.cache.Get(key) teamPermissions, ok := s.cache.Get(key)
if ok { if ok {
metrics.MAccessPermissionsCacheUsage.WithLabelValues(accesscontrol.CacheHit).Inc() metrics.MAccessPermissionsCacheUsage.WithLabelValues(accesscontrol.CacheHit).Inc()
@ -322,7 +322,7 @@ func (s *Service) getCachedTeamsPermissions(ctx context.Context, user identity.R
} }
for teamID, teamPermissions := range teamsPermissions { for teamID, teamPermissions := range teamsPermissions {
key := teamCacheKey(teamID, orgID) key := accesscontrol.GetTeamPermissionCacheKey(teamID, orgID)
s.cache.Set(key, teamPermissions, cacheTTL) s.cache.Set(key, teamPermissions, cacheTTL)
permissions = append(permissions, teamPermissions...) permissions = append(permissions, teamPermissions...)
} }
@ -332,7 +332,8 @@ func (s *Service) getCachedTeamsPermissions(ctx context.Context, user identity.R
} }
func (s *Service) ClearUserPermissionCache(user identity.Requester) { func (s *Service) ClearUserPermissionCache(user identity.Requester) {
s.cache.Delete(permissionCacheKey(user)) s.cache.Delete(accesscontrol.GetPermissionCacheKey(user))
s.cache.Delete(accesscontrol.GetUserDirectPermissionCacheKey(user))
} }
func (s *Service) DeleteUserPermissions(ctx context.Context, orgID int64, userID int64) error { func (s *Service) DeleteUserPermissions(ctx context.Context, orgID int64, userID int64) error {
@ -552,6 +553,9 @@ func (s *Service) searchUserPermissions(ctx context.Context, orgID int64, search
} }
permissions = append(permissions, dbPermissions[userID]...) permissions = append(permissions, dbPermissions[userID]...)
key := accesscontrol.GetPermissionCacheKey(&user.SignedInUser{UserID: userID, OrgID: orgID})
s.cache.Set(key, permissions, cacheTTL)
return permissions, nil return permissions, nil
} }
@ -567,7 +571,7 @@ func (s *Service) searchUserPermissionsFromCache(orgID int64, searchOptions acce
OrgID: orgID, OrgID: orgID,
} }
key := permissionCacheKey(tempUser) key := accesscontrol.GetPermissionCacheKey(tempUser)
permissions, ok := s.cache.Get((key)) permissions, ok := s.cache.Get((key))
if !ok { if !ok {
metrics.MAccessSearchUserPermissionsCacheUsage.WithLabelValues(accesscontrol.CacheMiss).Inc() metrics.MAccessSearchUserPermissionsCacheUsage.WithLabelValues(accesscontrol.CacheMiss).Inc()
@ -651,17 +655,3 @@ func (s *Service) GetRoleByName(ctx context.Context, orgID int64, roleName strin
}) })
return role, err return role, err
} }
func permissionCacheKey(user identity.Requester) string {
return fmt.Sprintf("rbac-permissions-%s", user.GetCacheKey())
}
func basicRoleCacheKey(role string, orgID int64) string {
roleKey := strings.Replace(role, " ", "_", -1)
roleKey = strings.ToLower(roleKey)
return fmt.Sprintf("rbac-permissions-basic-role-%d-%s", orgID, roleKey)
}
func teamCacheKey(teamID int64, orgID int64) string {
return fmt.Sprintf("rbac-permissions-team-%d-%d", orgID, teamID)
}

2
pkg/services/accesscontrol/acimpl/service_test.go
View File

@ -805,7 +805,7 @@ func TestPermissionCacheKey(t *testing.T) {
} }
for _, tc := range testcases { for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
assert.Equal(t, tc.expected, permissionCacheKey(tc.signedInUser)) assert.Equal(t, tc.expected, accesscontrol.GetPermissionCacheKey(tc.signedInUser))
}) })
} }
} }

26
pkg/services/accesscontrol/cacheutils.go Normal file
View File

@ -0,0 +1,26 @@
package accesscontrol
import (
"fmt"
"strings"
"github.com/grafana/grafana/pkg/services/auth/identity"
)
func GetPermissionCacheKey(user identity.Requester) string {
return fmt.Sprintf("rbac-permissions-%s", user.GetCacheKey())
}
func GetUserDirectPermissionCacheKey(user identity.Requester) string {
return fmt.Sprintf("rbac-permissions-direct-%s", user.GetCacheKey())
}
func GetBasicRolePermissionCacheKey(role string, orgID int64) string {
roleKey := strings.Replace(role, " ", "_", -1)
roleKey = strings.ToLower(roleKey)
return fmt.Sprintf("rbac-permissions-basic-role-%d-%s", orgID, roleKey)
}
func GetTeamPermissionCacheKey(teamID int64, orgID int64) string {
return fmt.Sprintf("rbac-permissions-team-%d-%d", orgID, teamID)
}