inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged DEV/ALAN/SITE_PERF to HEAD

Browse Source 
30342: Dev branch for Site performance issues (including rework of AuthorityService.getAuthorities() to use a 'lazy' set and DM indexing rework)
   ALF-9899 Huge share site migration, add group to site and user access site related performance issue.
   ALF-9208 Performance issue, during load tests /share/page/user/user-sites is showing to be the most expensive.
   ALF-9692 Performance: General performance of Alfresco degrades when there are 1000s of sites present
   - ancestor-preloading
   - hasAuthority
   - huge site test
   30370: - Save changed to do with adding childAuthorityCache to AuthorityDAOImpl
   - Increase aspectsTransactionalCache size as it blows up
   30387: Experimental solution to 'cascading reindex' performance problem
   - Now only Lucene container documents for a single subtree are reprocessed on addition / removal of a secondary child association
   - No need to delete and re-evaluate ALL the paths to all the nodes in the subtree - just the paths within the subtree
   - Lucene deltas now store the IDs of ANCESTORs to mask out as well as documents to reindex
   - Merge handles deletion of these efficiently
   - Node service cycle checks changed from getPaths to recursive cycleCheck method
   - Adding a group to 60,000 sites might not require all paths to all sites to be re-evaluated on every change!
   30389: Missed files from last checkin
   30390: Optimizations / fixes to Alan's test!
   30393: Bug fix - wasn't adding new documents into the index!
   30397: Fixed a problem with bulk loading trying to bulk load zero parent associations
   Also tweaked reindex calls
   30399: Correction - don't cascade below containers during path cascading
   30400: Another optimization - no need to trigger node bulk loading during path cascading - pass false for the preload flag
   30404: Further optimizations
   - On creation of a secondary child association, make a decision on whether it is cheaper to cascade reindex the parent or the child, based on the number of parent associations to the child
     - Assumes that if there are more than 5 parent associations, it's cheaper to cascade reindex the parent
     - Add a new authority to a zone (containing 60,000 authorities) - cascade reindex the authority, not the zone
     - Add a group (in 60,000 sites) to a site - cascade reindex the site, not the group
   - Caching of child associations already traversed during cascade reindexing
   - Site creation time much reduced!
   30407: Logic fix: Use 'delete only nodes' behaviour on DM index filtering and merging, now we are managing container deletions separately
   30408: Small correction related to last change.
   30409: Correction to deletion reindex behaviour (no need to regenerate masked out containers)
   - Site CRUD operations now all sub-second with 60,000 sites!
   30410: Stop the heartbeat from trying to load and count all site groups
   - Too expensive, as we might have 60,000 sites, each with 4 groups
   - Now just counts the groups in the default zone (the UI visible ones)
   30411: Increased lucene parameters to allow for 'path explosion'
   - 9 million lucene documents in my index after creating 60,000 Share sites (most of them probably paths) resulting in sluggish index write performance
   - Set lucene.indexer.mergerTargetIndexCount=8 (142 documents in smallest index)
   - Increased lucene.indexer.maxDocsForInMemoryMerge, lucene.indexer.maxDocsForInMemoryIndex
   30412: Test fixes
   30413: Revert 'parent association batch loading' changes (as it was a bad idea and is no longer necessary!)
   - Retain a few caching bug fixes however
   30416: Moved UserAuthoritySet (lazy load authority set) from PermissionServiceImpl to AuthorityServiceImpl
   30418: - Remove 'new' hasAuthority from authorityService so it is back to where we started.
   - SiteServiceHugeTest minor changes
   30421: Prevent creation of a duplicate root node on updating the root
   - Use the ANCESTOR field rather than ISCONTAINER to detect a node document, as the root node is both a container and a node!
   30447: Pulled new indexing behaviour into ADMLuceneIndexerImpl and restored old behaviour to AVMLuceneIndexerImpl to restore normal AVM behaviour
   30448: - Cache in PermissionServiceImpl cleared if an authority container has an association added or removed
     Supports the generateKey method which includes the username
     Supports changes in group structures
   - Moved logic to do with ROLE_GUEST from PermissionServiceImpl to AuthorityServiceImpl 
   30465: - Tidy up tests in SiteServiceTestHuge 
   30532: - Added getContainingAuthoritiesInZone to AuthorityService
     - Dave Changed PeopleService.getContainerGroups to only return groups in the DEFAULT zone
   - Fixed RM code to use getAuthoritiesForUser method with just the username again.
   30558: Build fixes
   - Fixed cycleCheck to throw a CyclicChildRelationshipException
   - More tidy up of AVM / ADM indexer split
   - Properly control when path generation is cascaded (not required on a full reindex or a tracker transaction)
   - Support indexing of a 'fake root' parent. Ouch my head hurts!
   30588: Build fixes
   - StringIndexOutOfBoundsException in NodeMonitor
   - Corrections to 'node only' delete behaviour
   - Use the PATH field to detect non-leaf nodes (it's the only stored field with which we can recognize the root)
   - Moved DOD5015Test.testVitalRecords() to the end - the only way I could work out how to get the full TestCase to run
   30600: More build fixes
   - Broadcast ALL node deletions to indexer (even those from cascade deletion of primary associations)
     - Allows indexer to wipe out all affected documents from the delta even if some have already been flushed under different parents by an intricate DOD unit test!
   - Pause FTS in DOD5015Test to prevent intermittent test failures (FTS can temporarily leave deleted documents in the index until it catches up)
   - More tidy up of ADMLuceneIndexerImpl
     - flushPending optimized and some unnecessary member variables removed
     - correction to cascade deletion behaviour (leave behind containers of unaffected secondary references)
     - unused MOVE action removed
     - further legacy logic moved into AVMLuceneIndexerImpl
   30620: More build fixes
   - Cope with a node morphing from a 'leaf' to a container during its lifetime
   - Container documents now created lazily in index as and when necessary
   - Blank out 'nth sibling' field of synthesized paths
   - ADMLuceneTest now passes!
   - TaggingServiceImplTest also passes - more special treatment for categories
   30627: Multi tenancy fixes
   30629: Possible build fix - retrying transaction in ReplicationServiceIntegrationTest.tearDown()
   30632: Build fix - lazy container generation after a move
   30636: Build fix: authority comparisons are case sensitive, even when that authority corresponds to a user (PermissionServiceTest.testPermissionCase())
   30638: Run SiteServiceTestHuge form a cmd line
      set SITE_CPATH=%TOMCAT_HOME%/lib/*;%TOMCAT_HOME%/endorsed/*;%TOMCAT_HOME%/webapps/alfresco/WEB-INF/lib/*;\
                     %TOMCAT_HOME%/webapps/alfresco/WEB-INF/classes;%TOMCAT_HOME%/shared/classes;
      java -Xmx2048m -XX:MaxPermSize=512M -classpath %SITE_CPATH% org.alfresco.repo.site.SiteServiceTestHuge ...
   
      Usage: -Daction=usersOnly
             -Dfrom=<fromSiteId> -Dto=<toSiteId>
             -Dfrom=<fromSiteId> -Dto=<toSiteId> -Daction=sites  -Drestart=<restartAtSiteId>
             -Dfrom=<fromSiteId> -Dto=<toSiteId> -Daction=groups -Drestart=<restartAtSiteId>
   30639: Minor changes to commented out command line code for SiteServiceTestHuge
   30643: Round of improvements to MySites dashlet relating to huge DB testing:
    - 10,000 site database, user is a member of ~2000 sites
    - Improvements to site.lib.ftl and related SiteService methods
    - To return MySites dashlet for the user, order of magnitude improvement from 7562ms to 618ms in the profiler (now ~350ms in the browser)
   30644: Fixed performance regression - too much opening and closing of the delta reader and writer
   30661: More reader opening / closing
   30668: Performance improvements to Site Finder and My Sites in user profile page.
    - faster to bring back lists and site memberships (used by the Site Finder)
    - related further improvements to APIs used by this and My Sites on dashboard
   30713: Configuration for MySites dashlet maximum list size
   30725: Merged V3.4-BUG-FIX to DEV/ALAN/SITE_PERF
      30708: ALF-10040: Added missing ReferenceCountingReadOnlyIndexReaderFactory wrapper to IndexInfo.getMainIndexReferenceCountingReadOnlyIndexReader() to make it consistent with IndexInfo.getMainIndexReferenceCountingReadOnlyIndexReader(String, Set<String>, boolean) and allow SingleFieldSelectors to make it through from LeafScorer to the path caches! Affects ALL Lucene queries that run OUTSIDE of a transaction.
   30729: Use getAuthoritiesForUser rather than getContainingAuthorities if possible.
   SiteServiceTestHuge: command line version
   30733: Performance improves to user dashboard relating to User Calendar 
    - converted web-tier calendar dashlet to Ajax client-side rendering - faster user experience and also less load on the web-tier
    - improvements to query from Andy
    - maximum sites/list size to query now configurable (default 100 instead of previously 1000)
   30743: Restore site CRUD performance from cold caches
   - Introduced NodeService.getAllRootNodes(), returning all nodes in a store with the root aspect, backed by a transactional cache and invalidated at key points
   - Means indexing doesn't have to load all parent nodes just to check for 'fake roots'
   - Site CRUD performance now back to sub-second with 60,000 nodes
   30747: Improvement to previous checkin - prevent cross cluster invalidation of every store root when a single store drops out of the cache
   30748: User dashboard finally loading within seconds with 60,000 sites, 60 groups, 100 users (thanks mostly to Kev's UI changes)
   - post-process IBatis mapped statements with MySQL dialect to apply fetchSize=Integer.MIN_VALUE to all _Limited statements
      - Means we can stream first 10,000 site groups without the MySQL JDBC driver reading all 240,000 into memory
   - New NodeService getChildAssocs method with a maxResults argument (makes use of the above)
   - Perfected getContainingAuthoritiesInZone implementation, adding a cutoff parameter, allowing only the first 1000 site memberships to be returned quickly and caches to be warmed for ACL evaluations
   - New cache of first 10,000 groups in APP.SHARE zone
   - Cache sizes tuned for 60,000 site scenario
   - Site service warms caches on bootstrap
   - PreferencesService applies ASPECT_IGNORE_INHERITED_RULES to person node to prevent the rule service trying to crawl the group hierarchy on a preference save
   - WorkflowServiceImpl.getPooledTasks only looks in APP.DEFAULT zone (thus avoiding site group noise)
   30749: Fix compilation errors
   30761: Minor change to SiteServiceTestHuge
   30762: Derek code review: Reworked fetchSize specification for select_ChildAssocsOfParent_Limited statement for MySQL
   - Now fetchSize stated explicitly in a MySQL specific config file resolved by the HierarchicalResourceLoader
   - No need for any Java-based post processing
   30763: Build fix: don't add a user into its own authorities (until specifically asked to)
   30767: Build fix
   - IBatis / MySQL needs a streaming result statement to be run in an isolation transaction (because it doesn't release PreparedStatements until the end)
   30771: Backed out previous change which was fundamentally flawed
   - Resolved underlying problem which was that the select_ChildAssocsOfParent_Limited SQL string needs to be unique in order to not cause confusion in the prepared statement cache
   30772: Backed out previous change which was fundamentally flawed
   - Resolved underlying problem which was that the select_ChildAssocsOfParent_Limited SQL string needs to be unique in order to not cause confusion in the prepared statement cache


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30797 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2011-09-27 12:24:57 +00:00
parent f4830cff15
commit 2e62d4fb29
47 changed files with 3536 additions and 1028 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java
View File

@@ -39,6 +39,7 @@ import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authority.AuthorityServiceImpl;
import org.alfresco.repo.security.permissions.ACLType;
import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList;
@@ -68,11 +69,11 @@ import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.Pair;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
import org.alfresco.util.PropertyCheck;
/**
* The Alfresco implementation of a permissions service against our APIs for the permissions model and permissions
@@ -279,6 +280,26 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
accessCache.clear();
}
/**
* Cache clear on create of a child association from an authority container.
*
* @param childAssocRef
*/
public void onCreateChildAssociation(ChildAssociationRef childAssocRef)
{
accessCache.clear();
}
/**
* Cache clear on delete of a child association from an authority container.
*
* @param childAssocRef
*/
public void beforeDeleteChildAssociation(ChildAssociationRef childAssocRef)
{
accessCache.clear();
}
@Override
protected void onBootstrap(ApplicationEvent event)
{
@@ -307,6 +328,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
public void init()
{
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onMoveNode"), ContentModel.TYPE_BASE, new JavaBehaviour(this, "onMoveNode"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onCreateChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "onCreateChildAssociation"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "beforeDeleteChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "beforeDeleteChildAssociation"));
}
//
@@ -474,10 +498,13 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
PermissionContext context = new PermissionContext(typeQname);
context.getAspects().addAll(aspectQNames);
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
String user = AuthenticationUtil.getRunAsUser();
for (String dynamicAuthority : getDynamicAuthorities(auth, nodeRef, perm))
if (auth != null)
{
context.addDynamicAuthorityAssignment(user, dynamicAuthority);
String user = AuthenticationUtil.getRunAsUser();
for (String dynamicAuthority : getDynamicAuthorities(auth, nodeRef, perm))
{
context.addDynamicAuthorityAssignment(user, dynamicAuthority);
}
}
return hasPermission(properties.getId(), context, perm);
}
@@ -711,12 +738,43 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
{
LinkedHashSet<Serializable> key = new LinkedHashSet<Serializable>();
key.add(perm.toString());
key.addAll(auths);
// We will just have to key our dynamic sets by username. We wrap it so as not to be confused with a static set
if (auths instanceof AuthorityServiceImpl.UserAuthoritySet)
{
key.add((Serializable)Collections.singleton(((AuthorityServiceImpl.UserAuthoritySet)auths).getUsername()));
}
else
{
key.addAll(auths);
}
key.add(nodeRef);
key.add(type);
return key;
}
/**
* Get the core authorisations for this {@code auth}. If {@code null} this
* will be an empty set. Otherwise it will be a Lazy loaded Set of authorities
* from the authority node structure PLUS any granted authorities.
*/
private Set<String> getCoreAuthorisations(Authentication auth)
{
if (auth == null)
{
return Collections.<String>emptySet();
}
User user = (User) auth.getPrincipal();
String username = user.getUsername();
Set<String> auths = authorityService.getAuthoritiesForUser(username);
for (GrantedAuthority grantedAuthority : auth.getAuthorities())
{
auths.add(grantedAuthority.getAuthority());
}
return auths;
}
/**
* Get the authorisations for the currently authenticated user
*
@@ -725,41 +783,17 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
*/
private Set<String> getAuthorisations(Authentication auth, NodeRef nodeRef, PermissionReference required)
{
HashSet<String> auths = new HashSet<String>();
// No authenticated user then no permissions
if (auth == null)
Set<String> auths = getCoreAuthorisations(auth);
if (auth != null)
{
return auths;
auths.addAll(getDynamicAuthorities(auth, nodeRef, required));
}
// TODO: Refactor and use the authentication service for this.
User user = (User) auth.getPrincipal();
String username = user.getUsername();
auths.add(username);
if (tenantService.getBaseNameUser(username).equalsIgnoreCase(AuthenticationUtil.getGuestUserName()))
{
auths.add(PermissionService.GUEST_AUTHORITY);
}
for (GrantedAuthority authority : auth.getAuthorities())
{
auths.add(authority.getAuthority());
}
auths.addAll(getDynamicAuthorities(auth, nodeRef, required));
auths.addAll(authorityService.getAuthoritiesForUser(username));
return auths;
}
private Set<String> getDynamicAuthorities(Authentication auth, NodeRef nodeRef, PermissionReference required)
{
HashSet<String> auths = new HashSet<String>(64);
if (auth == null)
{
return auths;
}
Set<String> dynAuths = new HashSet<String>(64);
User user = (User) auth.getPrincipal();
String username = user.getUsername();
@@ -775,49 +809,44 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
{
if (da.hasAuthority(nodeRef, username))
{
auths.add(da.getAuthority());
dynAuths.add(da.getAuthority());
}
}
}
}
}
auths.addAll(authorityService.getAuthoritiesForUser(user.getUsername()));
return auths;
return dynAuths;
}
private Set<String> getAuthorisations(Authentication auth, PermissionContext context)
{
HashSet<String> auths = new HashSet<String>();
// No authenticated user then no permissions
if (auth == null)
Set<String> auths = getCoreAuthorisations(auth);
if (auth != null)
{
return auths;
}
// TODO: Refactor and use the authentication service for this.
User user = (User) auth.getPrincipal();
auths.add(user.getUsername());
for (GrantedAuthority authority : auth.getAuthorities())
{
auths.add(authority.getAuthority());
}
auths.addAll(authorityService.getAuthoritiesForUser(user.getUsername()));
if (context != null)
{
Map<String, Set<String>> dynamicAuthorityAssignments = context.getDynamicAuthorityAssignment();
HashSet<String> dynAuths = new HashSet<String>();
for (String current : auths)
if (context != null)
{
Set<String> dynos = dynamicAuthorityAssignments.get(current);
auths.addAll(getDynamicAuthorities(auth, context, auths));
}
}
return auths;
}
private Set<String> getDynamicAuthorities(Authentication auth, PermissionContext context, Set<String> auths)
{
Set<String> dynAuths = new HashSet<String>();
Map<String, Set<String>> dynamicAuthorityAssignments = context.getDynamicAuthorityAssignment();
for (String dynKey : dynamicAuthorityAssignments.keySet())
{
if (auths.contains(dynKey))
{
Set<String> dynos = dynamicAuthorityAssignments.get(dynKey);
if (dynos != null)
{
dynAuths.addAll(dynos);
}
}
auths.addAll(dynAuths);
}
return auths;
return dynAuths;
}
public NodePermissionEntry explainPermission(NodeRef nodeRef, PermissionReference perm)
@@ -1161,25 +1190,11 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
// test acl readers
Set<String> aclReaders = getReaders(aclId);
// both lists are ordered so we can skip scan to find any overlap
if(authorities.size() < aclReaders.size())
for(String auth : aclReaders)
{
for(String auth : authorities)
if(authorities.contains(auth))
{
if(aclReaders.contains(auth))
{
return AccessStatus.ALLOWED;
}
}
}
else
{
for(String auth : aclReaders)
{
if(authorities.contains(auth))
{
return AccessStatus.ALLOWED;
}
return AccessStatus.ALLOWED;
}
}
@@ -1641,29 +1656,6 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
// any deny denies
// if (false)
// {
// if (denied != null)
// {
// for (String auth : authorisations)
// {
// Pair<String, PermissionReference> specific = new Pair<String, PermissionReference>(auth, required);
// if (denied.contains(specific))
// {
// return false;
// }
// for (PermissionReference perm : granters)
// {
// specific = new Pair<String, PermissionReference>(auth, perm);
// if (denied.contains(specific))
// {
// return false;
// }
// }
// }
// }
// }
// If the permission has a match in both the authorities and
// granters list it is allowed
// It applies to the current user and it is granted
@@ -1918,29 +1910,6 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
// any deny denies
// if (false)
// {
// if (denied != null)
// {
// for (String auth : authorisations)
// {
// Pair<String, PermissionReference> specific = new Pair<String, PermissionReference>(auth, required);
// if (denied.contains(specific))
// {
// return false;
// }
// for (PermissionReference perm : granters)
// {
// specific = new Pair<String, PermissionReference>(auth, perm);
// if (denied.contains(specific))
// {
// return false;
// }
// }
// }
// }
// }
// If the permission has a match in both the authorities and
// granters list it is allowed
// It applies to the current user and it is granted
@@ -2336,34 +2305,19 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
public Set<String> getAuthorisations()
{
// Use TX cache
@SuppressWarnings("unchecked")
Set<String> auths = (Set<String>) AlfrescoTransactionSupport.getResource("MyAuthCache");
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
User user = (User) auth.getPrincipal();
if(auths != null)
if (auths != null)
{
if(!auths.contains(user.getUsername()))
if (auth == null || !auths.contains(((User)auth.getPrincipal()).getUsername()))
{
auths = null;
}
}
if (auths == null)
{
auths = new HashSet<String>();
// No authenticated user then no permissions
if (auth != null)
{
auths.add(user.getUsername());
for (GrantedAuthority authority : auth.getAuthorities())
{
auths.add(authority.getAuthority());
}
auths.addAll(authorityService.getAuthoritiesForUser(user.getUsername()));
}
auths = getCoreAuthorisations(auth);
AlfrescoTransactionSupport.bindResource("MyAuthCache", auths);
}
return Collections.unmodifiableSet(auths);