inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged DEV/ALAN/SITE_PERF to HEAD

Browse Source 
30342: Dev branch for Site performance issues (including rework of AuthorityService.getAuthorities() to use a 'lazy' set and DM indexing rework)
   ALF-9899 Huge share site migration, add group to site and user access site related performance issue.
   ALF-9208 Performance issue, during load tests /share/page/user/user-sites is showing to be the most expensive.
   ALF-9692 Performance: General performance of Alfresco degrades when there are 1000s of sites present
   - ancestor-preloading
   - hasAuthority
   - huge site test
   30370: - Save changed to do with adding childAuthorityCache to AuthorityDAOImpl
   - Increase aspectsTransactionalCache size as it blows up
   30387: Experimental solution to 'cascading reindex' performance problem
   - Now only Lucene container documents for a single subtree are reprocessed on addition / removal of a secondary child association
   - No need to delete and re-evaluate ALL the paths to all the nodes in the subtree - just the paths within the subtree
   - Lucene deltas now store the IDs of ANCESTORs to mask out as well as documents to reindex
   - Merge handles deletion of these efficiently
   - Node service cycle checks changed from getPaths to recursive cycleCheck method
   - Adding a group to 60,000 sites might not require all paths to all sites to be re-evaluated on every change!
   30389: Missed files from last checkin
   30390: Optimizations / fixes to Alan's test!
   30393: Bug fix - wasn't adding new documents into the index!
   30397: Fixed a problem with bulk loading trying to bulk load zero parent associations
   Also tweaked reindex calls
   30399: Correction - don't cascade below containers during path cascading
   30400: Another optimization - no need to trigger node bulk loading during path cascading - pass false for the preload flag
   30404: Further optimizations
   - On creation of a secondary child association, make a decision on whether it is cheaper to cascade reindex the parent or the child, based on the number of parent associations to the child
     - Assumes that if there are more than 5 parent associations, it's cheaper to cascade reindex the parent
     - Add a new authority to a zone (containing 60,000 authorities) - cascade reindex the authority, not the zone
     - Add a group (in 60,000 sites) to a site - cascade reindex the site, not the group
   - Caching of child associations already traversed during cascade reindexing
   - Site creation time much reduced!
   30407: Logic fix: Use 'delete only nodes' behaviour on DM index filtering and merging, now we are managing container deletions separately
   30408: Small correction related to last change.
   30409: Correction to deletion reindex behaviour (no need to regenerate masked out containers)
   - Site CRUD operations now all sub-second with 60,000 sites!
   30410: Stop the heartbeat from trying to load and count all site groups
   - Too expensive, as we might have 60,000 sites, each with 4 groups
   - Now just counts the groups in the default zone (the UI visible ones)
   30411: Increased lucene parameters to allow for 'path explosion'
   - 9 million lucene documents in my index after creating 60,000 Share sites (most of them probably paths) resulting in sluggish index write performance
   - Set lucene.indexer.mergerTargetIndexCount=8 (142 documents in smallest index)
   - Increased lucene.indexer.maxDocsForInMemoryMerge, lucene.indexer.maxDocsForInMemoryIndex
   30412: Test fixes
   30413: Revert 'parent association batch loading' changes (as it was a bad idea and is no longer necessary!)
   - Retain a few caching bug fixes however
   30416: Moved UserAuthoritySet (lazy load authority set) from PermissionServiceImpl to AuthorityServiceImpl
   30418: - Remove 'new' hasAuthority from authorityService so it is back to where we started.
   - SiteServiceHugeTest minor changes
   30421: Prevent creation of a duplicate root node on updating the root
   - Use the ANCESTOR field rather than ISCONTAINER to detect a node document, as the root node is both a container and a node!
   30447: Pulled new indexing behaviour into ADMLuceneIndexerImpl and restored old behaviour to AVMLuceneIndexerImpl to restore normal AVM behaviour
   30448: - Cache in PermissionServiceImpl cleared if an authority container has an association added or removed
     Supports the generateKey method which includes the username
     Supports changes in group structures
   - Moved logic to do with ROLE_GUEST from PermissionServiceImpl to AuthorityServiceImpl 
   30465: - Tidy up tests in SiteServiceTestHuge 
   30532: - Added getContainingAuthoritiesInZone to AuthorityService
     - Dave Changed PeopleService.getContainerGroups to only return groups in the DEFAULT zone
   - Fixed RM code to use getAuthoritiesForUser method with just the username again.
   30558: Build fixes
   - Fixed cycleCheck to throw a CyclicChildRelationshipException
   - More tidy up of AVM / ADM indexer split
   - Properly control when path generation is cascaded (not required on a full reindex or a tracker transaction)
   - Support indexing of a 'fake root' parent. Ouch my head hurts!
   30588: Build fixes
   - StringIndexOutOfBoundsException in NodeMonitor
   - Corrections to 'node only' delete behaviour
   - Use the PATH field to detect non-leaf nodes (it's the only stored field with which we can recognize the root)
   - Moved DOD5015Test.testVitalRecords() to the end - the only way I could work out how to get the full TestCase to run
   30600: More build fixes
   - Broadcast ALL node deletions to indexer (even those from cascade deletion of primary associations)
     - Allows indexer to wipe out all affected documents from the delta even if some have already been flushed under different parents by an intricate DOD unit test!
   - Pause FTS in DOD5015Test to prevent intermittent test failures (FTS can temporarily leave deleted documents in the index until it catches up)
   - More tidy up of ADMLuceneIndexerImpl
     - flushPending optimized and some unnecessary member variables removed
     - correction to cascade deletion behaviour (leave behind containers of unaffected secondary references)
     - unused MOVE action removed
     - further legacy logic moved into AVMLuceneIndexerImpl
   30620: More build fixes
   - Cope with a node morphing from a 'leaf' to a container during its lifetime
   - Container documents now created lazily in index as and when necessary
   - Blank out 'nth sibling' field of synthesized paths
   - ADMLuceneTest now passes!
   - TaggingServiceImplTest also passes - more special treatment for categories
   30627: Multi tenancy fixes
   30629: Possible build fix - retrying transaction in ReplicationServiceIntegrationTest.tearDown()
   30632: Build fix - lazy container generation after a move
   30636: Build fix: authority comparisons are case sensitive, even when that authority corresponds to a user (PermissionServiceTest.testPermissionCase())
   30638: Run SiteServiceTestHuge form a cmd line
      set SITE_CPATH=%TOMCAT_HOME%/lib/*;%TOMCAT_HOME%/endorsed/*;%TOMCAT_HOME%/webapps/alfresco/WEB-INF/lib/*;\
                     %TOMCAT_HOME%/webapps/alfresco/WEB-INF/classes;%TOMCAT_HOME%/shared/classes;
      java -Xmx2048m -XX:MaxPermSize=512M -classpath %SITE_CPATH% org.alfresco.repo.site.SiteServiceTestHuge ...
   
      Usage: -Daction=usersOnly
             -Dfrom=<fromSiteId> -Dto=<toSiteId>
             -Dfrom=<fromSiteId> -Dto=<toSiteId> -Daction=sites  -Drestart=<restartAtSiteId>
             -Dfrom=<fromSiteId> -Dto=<toSiteId> -Daction=groups -Drestart=<restartAtSiteId>
   30639: Minor changes to commented out command line code for SiteServiceTestHuge
   30643: Round of improvements to MySites dashlet relating to huge DB testing:
    - 10,000 site database, user is a member of ~2000 sites
    - Improvements to site.lib.ftl and related SiteService methods
    - To return MySites dashlet for the user, order of magnitude improvement from 7562ms to 618ms in the profiler (now ~350ms in the browser)
   30644: Fixed performance regression - too much opening and closing of the delta reader and writer
   30661: More reader opening / closing
   30668: Performance improvements to Site Finder and My Sites in user profile page.
    - faster to bring back lists and site memberships (used by the Site Finder)
    - related further improvements to APIs used by this and My Sites on dashboard
   30713: Configuration for MySites dashlet maximum list size
   30725: Merged V3.4-BUG-FIX to DEV/ALAN/SITE_PERF
      30708: ALF-10040: Added missing ReferenceCountingReadOnlyIndexReaderFactory wrapper to IndexInfo.getMainIndexReferenceCountingReadOnlyIndexReader() to make it consistent with IndexInfo.getMainIndexReferenceCountingReadOnlyIndexReader(String, Set<String>, boolean) and allow SingleFieldSelectors to make it through from LeafScorer to the path caches! Affects ALL Lucene queries that run OUTSIDE of a transaction.
   30729: Use getAuthoritiesForUser rather than getContainingAuthorities if possible.
   SiteServiceTestHuge: command line version
   30733: Performance improves to user dashboard relating to User Calendar 
    - converted web-tier calendar dashlet to Ajax client-side rendering - faster user experience and also less load on the web-tier
    - improvements to query from Andy
    - maximum sites/list size to query now configurable (default 100 instead of previously 1000)
   30743: Restore site CRUD performance from cold caches
   - Introduced NodeService.getAllRootNodes(), returning all nodes in a store with the root aspect, backed by a transactional cache and invalidated at key points
   - Means indexing doesn't have to load all parent nodes just to check for 'fake roots'
   - Site CRUD performance now back to sub-second with 60,000 nodes
   30747: Improvement to previous checkin - prevent cross cluster invalidation of every store root when a single store drops out of the cache
   30748: User dashboard finally loading within seconds with 60,000 sites, 60 groups, 100 users (thanks mostly to Kev's UI changes)
   - post-process IBatis mapped statements with MySQL dialect to apply fetchSize=Integer.MIN_VALUE to all _Limited statements
      - Means we can stream first 10,000 site groups without the MySQL JDBC driver reading all 240,000 into memory
   - New NodeService getChildAssocs method with a maxResults argument (makes use of the above)
   - Perfected getContainingAuthoritiesInZone implementation, adding a cutoff parameter, allowing only the first 1000 site memberships to be returned quickly and caches to be warmed for ACL evaluations
   - New cache of first 10,000 groups in APP.SHARE zone
   - Cache sizes tuned for 60,000 site scenario
   - Site service warms caches on bootstrap
   - PreferencesService applies ASPECT_IGNORE_INHERITED_RULES to person node to prevent the rule service trying to crawl the group hierarchy on a preference save
   - WorkflowServiceImpl.getPooledTasks only looks in APP.DEFAULT zone (thus avoiding site group noise)
   30749: Fix compilation errors
   30761: Minor change to SiteServiceTestHuge
   30762: Derek code review: Reworked fetchSize specification for select_ChildAssocsOfParent_Limited statement for MySQL
   - Now fetchSize stated explicitly in a MySQL specific config file resolved by the HierarchicalResourceLoader
   - No need for any Java-based post processing
   30763: Build fix: don't add a user into its own authorities (until specifically asked to)
   30767: Build fix
   - IBatis / MySQL needs a streaming result statement to be run in an isolation transaction (because it doesn't release PreparedStatements until the end)
   30771: Backed out previous change which was fundamentally flawed
   - Resolved underlying problem which was that the select_ChildAssocsOfParent_Limited SQL string needs to be unique in order to not cause confusion in the prepared statement cache
   30772: Backed out previous change which was fundamentally flawed
   - Resolved underlying problem which was that the select_ChildAssocsOfParent_Limited SQL string needs to be unique in order to not cause confusion in the prepared statement cache


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30797 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2011-09-27 12:24:57 +00:00
parent f4830cff15
commit 2e62d4fb29
47 changed files with 3536 additions and 1028 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
source/java/org/alfresco/repo/security/authority/AuthorityDAO.java
View File

@@ -25,6 +25,7 @@ import org.alfresco.query.PagingRequest;
import org.alfresco.query.PagingResults;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.AuthorityService.AuthorityFilter;
public interface AuthorityDAO
{
@@ -62,6 +63,8 @@ public interface AuthorityDAO
*/
Set<String> getContainedAuthorities(AuthorityType type, String parentName, boolean immediate);
public boolean isAuthorityContained(NodeRef authorityNodeRef, String authorityToFind);
/**
* Remove an authority.
*
@@ -80,6 +83,20 @@ public interface AuthorityDAO
*/
Set<String> getContainingAuthorities(AuthorityType type, String name, boolean immediate);
/**
* Get a set of authorities with varying filter criteria
*
* @param type authority type or null for all types
* @param authority if non-null, only return those authorities who contain this authority
* @param zoneName if non-null, only include authorities in the named zone
* @param filter optional callback to apply further filter criteria or null
* @param size if greater than zero, the maximum results to return. The search strategy used is varied depending on this number.
* @return a set of authorities
*/
public Set<String> getContainingAuthoritiesInZone(AuthorityType type, String authority, final String zoneName, AuthorityFilter filter, int size);
/**
* Get authorities by type and/or zone
*

189
source/java/org/alfresco/repo/security/authority/AuthorityDAOImpl.java
View File

@@ -44,6 +44,8 @@ import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.search.impl.lucene.AbstractLuceneQueryParser;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.person.PersonServiceImpl;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
@@ -61,6 +63,7 @@ import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.NoSuchPersonException;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.cmr.security.PersonService.PersonInfo;
import org.alfresco.service.cmr.security.AuthorityService.AuthorityFilter;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
@@ -102,7 +105,13 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
private SimpleCache<Pair<String, String>, NodeRef> authorityLookupCache;
private static final NodeRef NULL_NODEREF = new NodeRef("null", "null", "null");
private SimpleCache<String, Set<String>> userAuthorityCache;
private SimpleCache<Pair<String, String>, List<ChildAssociationRef>> zoneAuthorityCache;
private SimpleCache<NodeRef, List<ChildAssociationRef>> childAuthorityCache;
/** System Container ref cache (Tennant aware) */
private Map<String, NodeRef> systemContainerRefs = new ConcurrentHashMap<String, NodeRef>(4);
@@ -111,6 +120,9 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
private PolicyComponent policyComponent;
/** The number of authorities in a zone to pre-cache, allowing quick generation of 'first n' results. */
private int zoneAuthoritySampleSize = 10000;
private NamedObjectRegistry<CannedQueryFactory<AuthorityInfo>> cannedQueryRegistry;
public AuthorityDAOImpl()
@@ -118,6 +130,19 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
super();
}
/**
* Sets number of authorities in a zone to pre-cache, allowing quick generation of 'first n' results and adaption of
* search technique based on hit rate.
*
* @param zoneAuthoritySampleSize
* the zoneAuthoritySampleSize to set
*/
public void setZoneAuthoritySampleSize(int zoneAuthoritySampleSize)
{
this.zoneAuthoritySampleSize = zoneAuthoritySampleSize;
}
public void setStoreUrl(String storeUrl)
{
this.storeRef = new StoreRef(storeUrl);
@@ -155,6 +180,16 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
{
this.userAuthorityCache = userAuthorityCache;
}
public void setZoneAuthorityCache(SimpleCache<Pair<String, String>, List<ChildAssociationRef>> zoneAuthorityCache)
{
this.zoneAuthorityCache = zoneAuthorityCache;
}
public void setChildAuthorityCache(SimpleCache<NodeRef, List<ChildAssociationRef>> childAuthorityCache)
{
this.childAuthorityCache = childAuthorityCache;
}
public void setPersonService(PersonService personService)
{
@@ -208,6 +243,7 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
throw new AlfrescoRuntimeException("Authorities of the type " + authorityType
+ " may not be added to other authorities");
}
childAuthorityCache.remove(parentRef);
parentRefs.add(parentRef);
}
NodeRef childRef = getAuthorityOrNull(childName);
@@ -247,10 +283,13 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
if (authorityZones != null)
{
Set<NodeRef> zoneRefs = new HashSet<NodeRef>(authorityZones.size() * 2);
String currentUserDomain = tenantService.getCurrentUserDomain();
for (String authorityZone : authorityZones)
{
zoneRefs.add(getOrCreateZone(authorityZone));
zoneAuthorityCache.remove(new Pair<String, String>(currentUserDomain, authorityZone));
}
zoneAuthorityCache.remove(new Pair<String, String>(currentUserDomain, null));
nodeService.addChild(zoneRefs, childRef, ContentModel.ASSOC_IN_ZONE, QName.createQName("cm", name, namespacePrefixResolver));
}
authorityLookupCache.put(cacheKey(name), childRef);
@@ -269,9 +308,17 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
{
throw new UnknownAuthorityException("An authority was not found for " + name);
}
nodeService.deleteNode(nodeRef);
String currentUserDomain = tenantService.getCurrentUserDomain();
for (String authorityZone : getAuthorityZones(name))
{
zoneAuthorityCache.remove(new Pair<String, String>(currentUserDomain, authorityZone));
}
zoneAuthorityCache.remove(new Pair<String, String>(currentUserDomain, null));
removeParentsFromChildAuthorityCache(nodeRef);
authorityLookupCache.remove(cacheKey(name));
userAuthorityCache.clear();
nodeService.deleteNode(nodeRef);
}
// Get authorities by type and/or zone (both cannot be null)
@@ -626,6 +673,7 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
throw new UnknownAuthorityException("An authority was not found for " + childName);
}
nodeService.removeChild(parentRef, childRef);
childAuthorityCache.remove(parentRef);
if (AuthorityType.getAuthorityType(childName) == AuthorityType.USER)
{
userAuthorityCache.remove(childName);
@@ -671,6 +719,94 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
}
}
public Set<String> getContainingAuthoritiesInZone(AuthorityType type, String authority, final String zoneName, AuthorityFilter filter, int size)
{
// Retrieved the cached 'sample' of authorities in the zone
String currentUserDomain = tenantService.getCurrentUserDomain();
Pair<String, String> cacheKey = new Pair<String, String>(currentUserDomain, zoneName);
List<ChildAssociationRef> zoneAuthorities = zoneAuthorityCache.get(cacheKey);
final int maxToProcess = Math.max(size, zoneAuthoritySampleSize);
if (zoneAuthorities == null)
{
zoneAuthorities = AuthenticationUtil.runAs(new RunAsWork<List<ChildAssociationRef>>()
{
@Override
public List<ChildAssociationRef> doWork() throws Exception
{
NodeRef root = zoneName == null ? getAuthorityContainer() : getZone(zoneName);
if (root == null)
{
return Collections.emptyList();
}
return nodeService.getChildAssocs(root, null, null, maxToProcess, false);
}
}, tenantService.getDomainUser(AuthenticationUtil.getSystemUserName(), currentUserDomain));
zoneAuthorityCache.put(cacheKey, zoneAuthorities);
}
// Now search each for the required authority. If the number of results is greater than or close to the size
// limit, then this will be the most efficient route
Set<String> result = new TreeSet<String>();
final int maxResults = size > 0 ? size : Integer.MAX_VALUE;
int hits = 0, processed = 0;
for (ChildAssociationRef groupAssoc : zoneAuthorities)
{
String containing = groupAssoc.getQName().getLocalName();
AuthorityType containingType = AuthorityType.getAuthorityType(containing);
processed++;
// Cache the authority by key, if appropriate
switch (containingType)
{
case USER:
case ADMIN:
case GUEST:
break;
default:
Pair <String, String> containingKey = cacheKey(containing);
if (!authorityLookupCache.contains(containingKey))
{
authorityLookupCache.put(containingKey, groupAssoc.getChildRef());
}
}
if ((type == null || containingType == type)
&& (authority == null || isAuthorityContained(groupAssoc.getChildRef(), authority))
&& (filter == null || filter.includeAuthority(containing)))
{
result.add(containing);
if (++hits == maxResults)
{
break;
}
}
// If this top down search is not providing an adequate hit count then resort to a naiive unlimited search
if (processed >= maxToProcess)
{
if (authority == null)
{
return new HashSet<String>(getAuthorities(type, zoneName, null, false, true, new PagingRequest(0, maxResults, null)).getPage());
}
Set<String> newResult = getContainingAuthorities(type, authority, false);
result.clear();
int i=0;
for (String container : newResult)
{
if ((filter == null || filter.includeAuthority(container)
&& (zoneName == null || getAuthorityZones(container).contains(zoneName))))
{
result.add(container);
if (++i >= maxResults)
{
break;
}
}
}
break;
}
}
return result;
}
public String getShortName(String name)
{
AuthorityType type = AuthorityType.getAuthorityType(name);
@@ -804,6 +940,44 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
}
}
}
// Take advantage of the fact that the authority name is on the child association
public boolean isAuthorityContained(NodeRef authorityNodeRef, String authorityToFind)
{
List<ChildAssociationRef> cars = childAuthorityCache.get(authorityNodeRef);
if (cars == null)
{
cars = nodeService.getChildAssocs(authorityNodeRef, RegexQNamePattern.MATCH_ALL,
RegexQNamePattern.MATCH_ALL, false);
childAuthorityCache.put(authorityNodeRef, cars);
}
// Loop over children recursively to find authorityToFind
for (ChildAssociationRef car : cars)
{
String authorityName = car.getQName().getLocalName();
if (authorityToFind.equals(authorityName)
|| AuthorityType.getAuthorityType(authorityName) != AuthorityType.USER
&& isAuthorityContained(car.getChildRef(), authorityToFind))
{
return true;
}
}
return false;
}
private void removeParentsFromChildAuthorityCache(NodeRef nodeRef)
{
for (ChildAssociationRef car: nodeService.getParentAssocs(nodeRef))
{
NodeRef parentRef = car.getParentRef();
if (dictionaryService.isSubClass(nodeService.getType(parentRef), ContentModel.TYPE_AUTHORITY_CONTAINER))
{
childAuthorityCache.remove(parentRef);
}
}
}
private NodeRef getAuthorityOrNull(String name)
{
@@ -829,13 +1003,10 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
{
List<ChildAssociationRef> results = nodeService.getChildAssocs(getAuthorityContainer(),
ContentModel.ASSOC_CHILDREN, QName.createQName("cm", name, namespacePrefixResolver), false);
if (!results.isEmpty())
{
result = results.get(0).getChildRef();
authorityLookupCache.put(cacheKey, result);
}
result = results.isEmpty() ? NULL_NODEREF :results.get(0).getChildRef();
authorityLookupCache.put(cacheKey, result);
}
return result;
return result == NULL_NODEREF ? null : result;
}
}
catch (NoSuchPersonException e)
@@ -1084,6 +1255,7 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
public void beforeDeleteNode(NodeRef nodeRef)
{
userAuthorityCache.remove(getAuthorityName(nodeRef));
removeParentsFromChildAuthorityCache(nodeRef);
}
public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> before, Map<QName, Serializable> after)
@@ -1109,7 +1281,6 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
// Fix any ACLs
aclDao.renameAuthority(authBefore, authAfter);
}
// Fix primary association local name
QName newAssocQName = QName.createQName("cm", authAfter, namespacePrefixResolver);
@@ -1137,7 +1308,7 @@ public class AuthorityDAOImpl implements AuthorityDAO, NodeServicePolicies.Befor
{
userAuthorityCache.remove(authBefore);
}
removeParentsFromChildAuthorityCache(nodeRef);
}
else
{

191
source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java
View File

@@ -18,12 +18,15 @@
*/
package org.alfresco.repo.security.authority;
import java.util.AbstractSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.alfresco.query.PagingRequest;
import org.alfresco.query.PagingResults;
@@ -123,6 +126,7 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
this.guestGroups = guestGroups;
}
@Override
public void afterPropertiesSet() throws Exception
{
// Fully qualify the admin group names
@@ -199,6 +203,32 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
return getAuthoritiesForUser(canonicalName).contains(PermissionService.GUEST_AUTHORITY);
}
/**
* Checks if the {@code authority} (normally a username) is the same as or is contained
* within the {@code parentAuthority}.
* @param authority
* @param parentAuthority a normalized, case sensitive authority name
* @return {@code true} if does, {@code false} otherwise.
*/
private boolean hasAuthority(String authority, String parentAuthority)
{
if (parentAuthority.equals(authority))
{
return true;
}
// Even users are matched case sensitively in ACLs
if (AuthorityType.getAuthorityType(parentAuthority) == AuthorityType.USER)
{
return false;
}
NodeRef nodeRef = authorityDAO.getAuthorityNodeRefOrNull(parentAuthority);
if (nodeRef == null)
{
return false;
}
return authorityDAO.isAuthorityContained(nodeRef, authority);
}
/**
* {@inheritDoc}
*/
@@ -214,16 +244,17 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
*/
public Set<String> getAuthoritiesForUser(String currentUserName)
{
Set<String> authorities = new HashSet<String>(64);
authorities.addAll(getContainingAuthorities(null, currentUserName, false));
// Work out mapped roles
return new UserAuthoritySet(currentUserName);
}
// Return mapped roles
private Set<String> getRoleAuthorities(String currentUserName)
{
Set<String> authorities = new TreeSet<String>();
// Check named guest and admin users
Set<String> adminUsers = this.authenticationService.getDefaultAdministratorUserNames();
Set<String> guestUsers = this.authenticationService.getDefaultGuestUserNames();
Set<String> adminUsers = authenticationService.getDefaultAdministratorUserNames();
Set<String> guestUsers = authenticationService.getDefaultGuestUserNames();
String defaultGuestName = AuthenticationUtil.getGuestUserName();
if (defaultGuestName != null && defaultGuestName.length() > 0)
@@ -236,23 +267,32 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
boolean isGuestUser = containsMatch(guestUsers, currentUserName);
// Check if any of the user's groups are listed as admin groups
if (!isAdminUser && !adminGroups.isEmpty())
if (!isAdminUser)
{
for (String authority : authorities)
for (String authority : adminGroups)
{
if (adminGroups.contains(authority) || adminGroups.contains(tenantService.getBaseNameUser(authority)))
if (hasAuthority(currentUserName, authority) || hasAuthority(currentUserName, tenantService.getBaseNameUser(authority)))
{
isAdminUser = true;
break;
}
}
}
// Check if any of the user's groups are listed as guest groups
if (!isAdminUser && !isGuestUser && !guestGroups.isEmpty())
// Check if user name matches (ignore case) "ROLE_GUEST", if so its a guest. Code originally in PermissionService.
if (!isAdminUser && !isGuestUser &&
tenantService.getBaseNameUser(currentUserName).equalsIgnoreCase(AuthenticationUtil.getGuestUserName()))
{
for (String authority : authorities)
isGuestUser = true;
}
// Check if any of the user's groups are listed as guest groups
if (!isAdminUser && !isGuestUser)
{
for (String authority : guestGroups)
{
if (guestGroups.contains(authority) || guestGroups.contains(tenantService.getBaseNameUser(authority)))
if (hasAuthority(currentUserName, authority) || hasAuthority(currentUserName, tenantService.getBaseNameUser(authority)))
{
isGuestUser = true;
break;
@@ -274,6 +314,7 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
{
authorities.addAll(guestSet);
}
return authorities;
}
@@ -501,6 +542,12 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
/**
* {@inheritDoc}
*/
public Set<String> getContainingAuthoritiesInZone(AuthorityType type, String authority, final String zoneName, AuthorityFilter filter, int size)
{
return authorityDAO.getContainingAuthoritiesInZone(type, authority, zoneName, filter, size);
}
@Override
public void removeAuthority(String parentName, String childName)
{
authorityDAO.removeAuthority(parentName, childName);
@@ -645,4 +692,118 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
{
return authorityDAO.getShortName(name);
}
/**
* Lazy load set of authorities. Try not to iterate or ask for the size. Needed for the case where there
* is a large number of sites/groups.
*
* @author David Ward, Alan Davis
*/
public final class UserAuthoritySet extends AbstractSet<String>
{
private final String username;
private Set<String> positiveHits;
private Set<String> negativeHits;
private boolean allAuthoritiesLoaded;
/**
* @param username
* @param auths
*/
public UserAuthoritySet(String username)
{
this.username = username;
positiveHits = getRoleAuthorities(username);
negativeHits = new TreeSet<String>();
}
// Try to avoid evaluating the full set unless we have to!
private Set<String> getAllAuthorities()
{
if (!allAuthoritiesLoaded)
{
allAuthoritiesLoaded = true;
Set<String> tmp = positiveHits; // must add role authorities back in.
positiveHits = getContainingAuthorities(null, username, false);
positiveHits.addAll(tmp);
negativeHits = null;
}
return positiveHits;
}
@Override
public boolean removeAll(Collection<?> c) {
throw new UnsupportedOperationException();
}
@Override
public boolean add(String e)
{
return positiveHits.add(e);
}
@Override
public void clear()
{
throw new UnsupportedOperationException();
}
@Override
public boolean contains(Object o)
{
if (!(o instanceof String))
{
return false;
}
if (positiveHits.contains(o))
{
return true;
}
if (allAuthoritiesLoaded || negativeHits.contains(o))
{
return false;
}
// Remember positive and negative hits for next time
if (hasAuthority(username, (String) o))
{
positiveHits.add((String) o);
return true;
}
else
{
negativeHits.add((String)o);
return false;
}
}
@Override
public boolean remove(Object o)
{
throw new UnsupportedOperationException();
}
@Override
public boolean retainAll(Collection<?> c)
{
throw new UnsupportedOperationException();
}
@Override
public Iterator<String> iterator()
{
return getAllAuthorities().iterator();
}
@Override
public int size()
{
return getAllAuthorities().size();
}
public Object getUsername()
{
return username;
}
}
}