inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.2.N (5.2.1) to HEAD (5.2)

Browse Source 
125767 rmunteanu: Merged 5.1.N (5.1.2) to 5.2.N (5.2.1)
      125473 amorarasu: Merged 5.0.N (5.0.4) to 5.1.N (5.1.2)
         125055 cturlica: Merged V4.2-BUG-FIX (4.2.7) to 5.0.N (5.0.4) (PARTIAL MERGE)
            124999 adragoi: Merged DEV to V4.2-BUG-FIX (4.2.7)
               124402 adragoi: MNT-15368 : Time Consumed for Updating Folder Permission
                  - implemented an approach that uses a separate, asynchronous processes that sets fixed ACL's


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@127794 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2016-06-03 16:11:08 +00:00
parent b6688d5103
commit c952c8d8b9
14 changed files with 1015 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/alfresco/dao/dao-context.xml
View File

@@ -264,6 +264,7 @@
<property name="aclDAO" ref="aclDAO"/>
<property name="behaviourFilter" ref="policyBehaviourFilter" />
<property name="preserveAuditableData" value="${system.auditableData.ACLs}"></property>
<property name="fixedAclMaxTransactionTime" value="${system.fixedACLs.maxTransactionTime}"/>
</bean>
<bean id="aclCrudDAO" class="org.alfresco.repo.domain.permissions.ibatis.AclCrudDAOImpl">

20
config/alfresco/model/systemModel.xml
View File

@@ -396,6 +396,26 @@
</property>
</properties>
</aspect>
<aspect name="sys:pendingFixAcl">
<title>Pending fix ACL</title>
<properties>
<property name="sys:sharedAclToReplace">
<title>Shared Acl To Replace</title>
<type>d:long</type>
<mandatory enforced="true">true</mandatory>
<multiple>false</multiple>
<index enabled="false"></index>
</property>
<property name="sys:inheritFromAcl">
<title>Inherit From</title>
<type>d:long</type>
<mandatory enforced="true">true</mandatory>
<multiple>false</multiple>
<index enabled="false"></index>
</property>
</properties>
</aspect>
</aspects>
</model>

11
config/alfresco/public-services-security-context.xml
View File

@@ -102,8 +102,19 @@
<ref bean="lockOwnerDynamicAuthority" />
</list>
</property>
<property name="fixedAclUpdater">
<ref bean="fixedAclUpdater"/>
</property>
</bean>
<bean id="fixedAclUpdater" class="org.alfresco.repo.domain.permissions.FixedAclUpdater">
<property name="jobLockService" ref="jobLockService"/>
<property name="transactionService" ref="transactionService"/>
<property name="accessControlListDAO" ref="admNodeACLDAO"/>
<property name="nodeDAO" ref="nodeDAO"/>
<property name="maxItemBatchSize" value="${system.fixedACLsUpdater.maxItemBatchSize}"/>
<property name="lockTimeToLive" value="${system.fixedACLsUpdater.lockTTL}"/>
</bean>
<!-- =================== -->
<!-- Dynamic Authorities -->

14
config/alfresco/repository.properties
View File

@@ -1106,6 +1106,20 @@ models.enforceTenantInNamespace=false
# Allowed protocols for links
links.protocosl.white.list=http,https,ftp,mailto
# Fixed ACLs
# Required for fixing MNT-15368 - Time Consumed for Updating Folder Permission
# ADMAccessControlListDAO.setFixedAcls called on a large folder hierarchy will take a long time for its execution.
# For this reason now method can also be called asynchronously if transaction reaches system.fixedACLs.maxTransactionTime.
# In this case setFixedAcls method recursion will be stopped and unfinished nodes will be marked with ASPECT_PENDING_FIX_ACL.
# Pending nodes will be processed by FixedAclUpdater, programmatically called but also configured as a scheduled job.
system.fixedACLs.maxTransactionTime=10000
# fixedACLsUpdater - lock time to live
system.fixedACLsUpdater.lockTTL=10000
# fixedACLsUpdater - maximum number of nodes to process per execution
system.fixedACLsUpdater.maxItemBatchSize=100
# fixedACLsUpdater cron expression - fire at midnight every day
system.fixedACLsUpdater.cronExpression=0 0 0 * * ?
cmis.disable.hidden.leading.period.files=false
#Smart Folders Config Properties

22
config/alfresco/scheduled-jobs-context.xml
View File

@@ -327,4 +327,26 @@
<value>${system.cronJob.startDelayMinutes}</value>
</property>
</bean>
<!-- Fixed ACL Updater -->
<bean id="fixedAclUpdaterJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
<property name="jobClass">
<value>org.alfresco.repo.domain.permissions.FixedAclUpdaterJob</value>
</property>
<property name="jobDataAsMap">
<map>
<entry key="fixedAclUpdater">
<ref bean="fixedAclUpdater" />
</entry>
</map>
</property>
</bean>
<bean id="fixedAclUpdaterTrigger" class="org.alfresco.util.CronTriggerBean">
<property name="jobDetail" ref="fixedAclUpdaterJobDetail" />
<property name="scheduler" ref="schedulerFactory" />
<property name="cronExpression" value="${system.fixedACLsUpdater.cronExpression}" />
</bean>
</beans>

141
source/java/org/alfresco/repo/domain/permissions/ADMAccessControlListDAO.java
View File

@@ -18,10 +18,13 @@
*/
package org.alfresco.repo.domain.permissions;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.domain.node.NodeDAO;
@@ -32,11 +35,15 @@ import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.AccessControlListProperties;
import org.alfresco.repo.security.permissions.SimpleAccessControlListProperties;
import org.alfresco.repo.security.permissions.impl.AclChange;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.Pair;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.dao.ConcurrencyFailureException;
/**
@@ -47,6 +54,7 @@ import org.springframework.dao.ConcurrencyFailureException;
*/
public class ADMAccessControlListDAO implements AccessControlListDAO
{
private static final Log log = LogFactory.getLog(ADMAccessControlListDAO.class);
/**
* The DAO for Nodes.
*/
@@ -57,6 +65,9 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
private BehaviourFilter behaviourFilter;
private boolean preserveAuditableData = true;
/**maxim transaction time allowed for {@link #setFixedAcls(Long, Long, Long, Long, List, boolean, AsyncCallParameters, boolean)} */
private long fixedAclMaxTransactionTime = 10 * 1000;
public void setNodeDAO(NodeDAO nodeDAO)
{
this.nodeDAO = nodeDAO;
@@ -67,6 +78,11 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
this.aclDaoComponent = aclDaoComponent;
}
public void setFixedAclMaxTransactionTime(long fixedAclMaxTransactionTime)
{
this.fixedAclMaxTransactionTime = fixedAclMaxTransactionTime;
}
public void setBehaviourFilter(BehaviourFilter behaviourFilter)
{
this.behaviourFilter = behaviourFilter;
@@ -302,9 +318,16 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
}
public List<AclChange> setInheritanceForChildren(NodeRef parent, Long inheritFrom, Long sharedAclToReplace)
{
//check transaction resource to determine if async call may be required
boolean asyncCall = AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY) == null ? false : true;
return setInheritanceForChildren(parent, inheritFrom, sharedAclToReplace, asyncCall);
}
public List<AclChange> setInheritanceForChildren(NodeRef parent, Long inheritFrom, Long sharedAclToReplace, boolean asyncCall)
{
List<AclChange> changes = new ArrayList<AclChange>();
setFixedAcls(getNodeIdNotNull(parent), inheritFrom, null, sharedAclToReplace, changes, false);
setFixedAcls(getNodeIdNotNull(parent), inheritFrom, null, sharedAclToReplace, changes, false, asyncCall, true);
return changes;
}
@@ -329,30 +352,52 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
*/
public void setFixedAcls(Long nodeId, Long inheritFrom, Long mergeFrom, Long sharedAclToReplace, List<AclChange> changes, boolean set)
{
setFixedAcls(nodeId, inheritFrom, mergeFrom, sharedAclToReplace, changes, set, false, true);
}
/**
* Support to set a shared ACL on a node and all of its children
*
* @param nodeId
* the parent node
* @param inheritFrom
* the parent node's ACL
* @param mergeFrom
* the shared ACL, if already known. If <code>null</code>, will be retrieved / created lazily
* @param changes
* the list in which to record changes
* @param set
* set the shared ACL on the parent ?
* @param asyncCall
* function may require asynchronous call depending the execution time; if time exceeds configured <code>fixedAclMaxTransactionTime</code> value,
* recursion is stopped using propagateOnChildren parameter(set on false) and those nodes for which the method execution was not finished
* in the classical way, will have ASPECT_PENDING_FIX_ACL, which will be used in {@link FixedAclUpdater} for later processing
*/
public void setFixedAcls(Long nodeId, Long inheritFrom, Long mergeFrom, Long sharedAclToReplace, List<AclChange> changes, boolean set, boolean asyncCall, boolean propagateOnChildren)
{
if (log.isDebugEnabled())
{
log.debug(" Set fixed acl for nodeId=" + nodeId + " inheritFrom=" + inheritFrom + " sharedAclToReplace=" + sharedAclToReplace
+ " mergefrom= " + mergeFrom);
}
if (nodeId == null)
{
return;
}
else
{
if (set)
{
// Lazily retrieve/create the shared ACL
if (mergeFrom == null)
{
mergeFrom = aclDaoComponent.getInheritedAccessControlList(inheritFrom);
}
if (set)
{
nodeDAO.setNodeAclId(nodeId, mergeFrom);
}
// update all shared in one shot - recurse later
if (mergeFrom == null)
{
mergeFrom = aclDaoComponent.getInheritedAccessControlList(inheritFrom);
}
List<NodeIdAndAclId> children = nodeDAO.getPrimaryChildrenAcls(nodeId);
if(children.size() > 0)
@@ -360,19 +405,17 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
nodeDAO.setPrimaryChildrenSharedAclId(nodeId, sharedAclToReplace, mergeFrom);
}
if (!propagateOnChildren)
{
return;
}
for (NodeIdAndAclId child : children)
{
// Lazily retrieve/create the shared ACL
if (mergeFrom == null)
{
mergeFrom = aclDaoComponent.getInheritedAccessControlList(inheritFrom);
}
Long acl = child.getAclId();
if (acl == null)
{
setFixedAcls(child.getId(), inheritFrom, mergeFrom, sharedAclToReplace, changes, false);
propagateOnChildren = setFixAclPending(child.getId(), inheritFrom, mergeFrom, sharedAclToReplace, changes, false, asyncCall, propagateOnChildren);
}
else
{
@@ -383,7 +426,7 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
// Already replaced
if(acl.equals(sharedAclToReplace))
{
setFixedAcls(child.getId(), inheritFrom, mergeFrom, sharedAclToReplace, changes, false);
propagateOnChildren = setFixAclPending(child.getId(), inheritFrom, mergeFrom, sharedAclToReplace, changes, false, asyncCall, propagateOnChildren);
}
else
{
@@ -410,6 +453,66 @@ public class ADMAccessControlListDAO implements AccessControlListDAO
}
}
/**
* If async call required adds ASPECT_PENDING_FIX_ACL aspect to nodes when transactionTime reaches max admitted time
*/
private boolean setFixAclPending(Long nodeId, Long inheritFrom, Long mergeFrom, Long sharedAclToReplace, List<AclChange> changes,
boolean set, boolean asyncCall, boolean propagateOnChildren)
{
// check if async call is required
if (!asyncCall)
{
// make regular method call
setFixedAcls(nodeId, inheritFrom, mergeFrom, sharedAclToReplace, changes, set, asyncCall, propagateOnChildren);
return true;
}
else
{
// check transaction time
long transactionStartTime = AlfrescoTransactionSupport.getTransactionStartTime();
long transactionTime = System.currentTimeMillis() - transactionStartTime;
if (transactionTime < fixedAclMaxTransactionTime)
{
// make regular method call if time is under max transaction configured time
setFixedAcls(nodeId, inheritFrom, mergeFrom, sharedAclToReplace, changes, set, asyncCall, propagateOnChildren);
return true;
}
else
{
// time exceeded;
if (nodeDAO.getPrimaryChildrenAcls(nodeId).size() == 0)
{
// if node is leaf in tree hierarchy call setFixedAcls now as processing with FixedAclUpdater would be more time consuming
setFixedAcls(nodeId, inheritFrom, mergeFrom, sharedAclToReplace, changes, set, asyncCall, false);
}
else
{
// set ASPECT_PENDING_FIX_ACL aspect on node to be later on processed with FixedAclUpdater
addFixedAclPendingAspect(nodeId, sharedAclToReplace, inheritFrom);
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY, true);
}
// stop propagating on children nodes
return false;
}
}
}
private void addFixedAclPendingAspect(Long nodeId, Long sharedAclToReplace, Long inheritFrom)
{
Set<QName> aspect = new HashSet<>();
aspect.add(ContentModel.ASPECT_PENDING_FIX_ACL);
nodeDAO.addNodeAspects(nodeId, aspect);
Map<QName, Serializable> pendingAclProperties = new HashMap<>();
pendingAclProperties.put(ContentModel.PROP_SHARED_ACL_TO_REPLACE, sharedAclToReplace);
pendingAclProperties.put(ContentModel.PROP_INHERIT_FROM_ACL, inheritFrom);
nodeDAO.addNodeProperties(nodeId, pendingAclProperties);
if (log.isDebugEnabled())
{
log.debug("Set Fixed Acl Pending : " + nodeId + " " + nodeDAO.getNodePair(nodeId).getSecond());
}
}
/**
* {@inheritDoc}
*/

6
source/java/org/alfresco/repo/domain/permissions/AccessControlListDAO.java
View File

@@ -77,6 +77,12 @@ public interface AccessControlListDAO
*/
public List<AclChange> setInheritanceForChildren(NodeRef parent, Long inheritFrom, Long sharedAclToReplace);
/**
* Set the inheritance on a given node and it's children. If the operation takes
* too long and asyncCall parameter set accordingly, fixed ACLs method will be synchronously called.
*/
public List<AclChange> setInheritanceForChildren(NodeRef parent, Long inheritFrom, Long sharedAclToReplace, boolean asyncCall);
public Long getIndirectAcl(NodeRef nodeRef);
public Long getInheritedAcl(NodeRef nodeRef);

303
source/java/org/alfresco/repo/domain/permissions/FixedAclUpdater.java Normal file
View File

@@ -0,0 +1,303 @@
/*
* Copyright (C) 2005-2016 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.domain.permissions;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.domain.node.NodeDAO;
import org.alfresco.repo.domain.node.NodeDAO.NodeRefQueryCallback;
import org.alfresco.repo.lock.JobLockService;
import org.alfresco.repo.lock.LockAcquisitionException;
import org.alfresco.repo.lock.JobLockService.JobLockRefreshCallback;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.repo.transaction.TransactionListenerAdapter;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.Pair;
import org.alfresco.util.VmShutdownListener.VmShutdownException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Finds nodes with ASPECT_PENDING_FIX_ACL aspect and sets fixed ACLs for them
*
* @author Andreea Dragoi
* @since 4.2.7
*/
public class FixedAclUpdater extends TransactionListenerAdapter
{
private static final Log log = LogFactory.getLog(FixedAclUpdater.class);
private static final Set<QName> PENDING_FIX_ACL_ASPECT_PROPS = pendingFixAclAspectProps();
public static final String FIXED_ACL_ASYNC_REQUIRED_KEY = "FIXED_ACL_ASYNC_REQUIRED";
public static final String FIXED_ACL_ASYNC_CALL_KEY = "FIXED_ACL_ASYNC_CALL";
private JobLockService jobLockService;
private TransactionService transactionService;
private AccessControlListDAO accessControlListDAO;
private NodeDAO nodeDAO;
private QName lockQName = QName.createQName(NamespaceService.SYSTEM_MODEL_1_0_URI, "FixedAclUpdater");
private long lockTimeToLive = 10000;
private long lockRefreshTime = lockTimeToLive / 2;
private int maxItemBatchSize = 100;
public void setJobLockService(JobLockService jobLockService)
{
this.jobLockService = jobLockService;
}
public void setNodeDAO(NodeDAO nodeDAO)
{
this.nodeDAO = nodeDAO;
}
public void setTransactionService(TransactionService transactionService)
{
this.transactionService = transactionService;
}
public void setAccessControlListDAO(AccessControlListDAO accessControlListDAO)
{
this.accessControlListDAO = accessControlListDAO;
}
public void setMaxItemBatchSize(int maxItemBatchSize)
{
this.maxItemBatchSize = maxItemBatchSize;
}
public void setLockTimeToLive(long lockTimeToLive)
{
this.lockTimeToLive = lockTimeToLive;
this.lockRefreshTime = lockTimeToLive / 2;
}
private static Set<QName> pendingFixAclAspectProps()
{
Set<QName> props = new HashSet<>();
props.add(ContentModel.PROP_SHARED_ACL_TO_REPLACE);
props.add(ContentModel.PROP_INHERIT_FROM_ACL);
return props;
}
private int findAndUpdateAcl(FixedAclUpdaterJobLockRefreshCallback jobCallback)
{
final Set<QName> aspects = new HashSet<>(1);
aspects.add(ContentModel.ASPECT_PENDING_FIX_ACL);
List<NodeRef> nodesToUpdate = getNodesWithAspects(aspects);
int processedNodes = 0;
// loop over results
for (final NodeRef nodeRef : nodesToUpdate)
{
// Check if we have been terminated
if (!jobCallback.isActive.get())
{
if (log.isDebugEnabled())
{
log.debug(String.format("Processing node failed %s. Job not active", nodeRef));
}
// terminate
break;
}
if (log.isDebugEnabled())
{
log.debug(String.format("Processing node %s", nodeRef));
}
final Long nodeId = nodeDAO.getNodePair(nodeRef).getFirst();
try
{
transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<Void>()
{
public Void execute() throws Throwable
{
// retrieve acl properties from node
Long inheritFrom = (Long) nodeDAO.getNodeProperty(nodeId, ContentModel.PROP_INHERIT_FROM_ACL);
Long sharedAclToReplace = (Long) nodeDAO.getNodeProperty(nodeId, ContentModel.PROP_SHARED_ACL_TO_REPLACE);
// set inheritance using retrieved prop
accessControlListDAO.setInheritanceForChildren(nodeRef, inheritFrom, sharedAclToReplace, true);
nodeDAO.removeNodeAspects(nodeId, aspects);
nodeDAO.removeNodeProperties(nodeId, PENDING_FIX_ACL_ASPECT_PROPS);
if (log.isDebugEnabled())
{
log.debug(String.format("Node processed ", nodeRef));
}
return null;
}
}, false, true);
}
catch (Exception e)
{
if (log.isDebugEnabled())
{
log.debug(String.format("Could not process node ", nodeRef), e);
}
}
processedNodes++;
}
if (log.isDebugEnabled())
{
log.debug(String.format("Nodes found %s; nodes processed %s", nodesToUpdate.size(), processedNodes));
}
return processedNodes;
}
public void execute()
{
String lockToken = null;
FixedAclUpdaterJobLockRefreshCallback callback = new FixedAclUpdaterJobLockRefreshCallback();
try
{
RunAsWork<Integer> findAndUpdateAclRunAsWork = findAndUpdateAclRunAsWork(callback);
lockToken = jobLockService.getLock(lockQName, lockTimeToLive, 0, 1);
while (true)
{
jobLockService.refreshLock(lockToken, lockQName, lockRefreshTime, callback);
Integer processed = AuthenticationUtil.runAs(findAndUpdateAclRunAsWork, AuthenticationUtil.getSystemUserName());
if (processed.intValue() == 0)
{
// There is no more to process
break;
}
// There is still more to process, so continue
}
}
catch (LockAcquisitionException e)
{
// already running
}
catch (VmShutdownException e)
{
if (log.isDebugEnabled())
{
log.debug("FixedAclUpdater aborted");
}
}
finally
{
callback.isActive.set(false);
jobLockService.releaseLock(lockToken, lockQName);
}
}
private RunAsWork<Integer> findAndUpdateAclRunAsWork(final FixedAclUpdaterJobLockRefreshCallback callback)
{
final RetryingTransactionCallback<Integer> findAndUpdateAclWork = new RetryingTransactionCallback<Integer>()
{
public Integer execute() throws Exception
{
return findAndUpdateAcl(callback);
}
};
// execute as system user to ensure fast, accurate results
RunAsWork<Integer> findAndUpdateAclRunAsWork = new RunAsWork<Integer>()
{
@Override
public Integer doWork() throws Exception
{
return transactionService.getRetryingTransactionHelper().doInTransaction(findAndUpdateAclWork, false, true);
}
};
return findAndUpdateAclRunAsWork;
}
private List<NodeRef> getNodesWithAspects(final Set<QName> aspects)
{
return transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<List<NodeRef>>()
{
@Override
public List<NodeRef> execute() throws Throwable
{
GetNodesWithAspectCallback callback = new GetNodesWithAspectCallback();
nodeDAO.getNodesWithAspects(aspects, 1L, null, callback);
return callback.getNodes();
}
}, false, true);
}
private class GetNodesWithAspectCallback implements NodeRefQueryCallback
{
private List<NodeRef> nodes = new ArrayList<>();
@Override
public boolean handle(Pair<Long, NodeRef> nodePair)
{
if (nodes.size() < maxItemBatchSize)
{
nodes.add(nodePair.getSecond());
return true;
}
return false;
}
public List<NodeRef> getNodes()
{
return nodes;
}
}
private static class FixedAclUpdaterJobLockRefreshCallback implements JobLockRefreshCallback
{
public AtomicBoolean isActive = new AtomicBoolean(true);
@Override
public boolean isActive()
{
return isActive.get();
}
@Override
public void lockReleased()
{
isActive.set(false);
}
}
@Override
public void afterCommit()
{
Thread t = new Thread(new Runnable()
{
@Override
public void run()
{
execute();
}
});
t.start();
}
}

52
source/java/org/alfresco/repo/domain/permissions/FixedAclUpdaterJob.java Normal file
View File

@@ -0,0 +1,52 @@
/*
* Copyright (C) 2005-2016 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.domain.permissions;
import org.alfresco.error.AlfrescoRuntimeException;
import org.quartz.Job;
import org.quartz.JobDataMap;
import org.quartz.JobExecutionContext;
import org.quartz.JobExecutionException;
/**
* Triggers setFixedAcl for those nodes with ASPECT_PENDING_FIX_ACL
*
* @author Andreea Dragoi
* @since 4.2.7
*
*/
public class FixedAclUpdaterJob implements Job
{
/**
* Calls {@link FixedAclUpdater} to do it's work
*/
@Override
public void execute(JobExecutionContext context) throws JobExecutionException
{
JobDataMap jobDataMap = context.getJobDetail().getJobDataMap();
Object fixedAclUpdaterObject = jobDataMap.get("fixedAclUpdater");
if (fixedAclUpdaterObject == null || !(fixedAclUpdaterObject instanceof FixedAclUpdater))
{
throw new AlfrescoRuntimeException("FixedAclUpdaterJob must contain a valid 'fixedAclUpdater'");
}
FixedAclUpdater fixedAclUpdater = (FixedAclUpdater)fixedAclUpdaterObject;
fixedAclUpdater.execute();
}
}

12
source/java/org/alfresco/repo/jscript/ScriptNode.java
View File

@@ -1628,6 +1628,18 @@ public class ScriptNode implements Scopeable, NamespacePrefixResolverProvider
this.services.getPermissionService().setInheritParentPermissions(this.nodeRef, inherit);
}
/**
* Set whether this node should inherit permissions from the parent node. If the operation takes
* too long and asyncCall parameter set accordingly, fixed ACLs method will be asynchronously called.
*
* @param inherit True to inherit parent permissions, false otherwise.
* @param asyncCall True if fixed ACLs should be asynchronously set when operation execution takes too long, false otherwise.
*/
public void setInheritsPermissions(boolean inherit, boolean asyncCall)
{
this.services.getPermissionService().setInheritParentPermissions(this.nodeRef, inherit, asyncCall);
}
/**
* Apply a permission for ALL users to the node.
*

33
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java
View File

@@ -34,6 +34,7 @@ import org.alfresco.model.ContentModel;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.domain.permissions.AclDAO;
import org.alfresco.repo.node.db.traitextender.NodeServiceTrait;
import org.alfresco.repo.domain.permissions.FixedAclUpdater;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
@@ -149,6 +150,8 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected PermissionReference allPermissionReference;
protected FixedAclUpdater fixedAclUpdater;
protected boolean anyDenyDenies = false;
private final ExtendedTrait<PermissionServiceTrait> permissionServiceTrait;
@@ -272,6 +275,11 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
this.aclDaoComponent = aclDaoComponent;
}
public void setFixedAclUpdater(FixedAclUpdater fixedAclUpdater)
{
this.fixedAclUpdater = fixedAclUpdater;
}
/**
* Set the permissions access cache.
*
@@ -1035,6 +1043,31 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
accessCache.clear();
}
public void setInheritParentPermissions(NodeRef nodeRef, final boolean inheritParentPermissions, boolean asyncCall)
{
final NodeRef actualRef = tenantService.getName(nodeRef);
if (asyncCall)
{
//use transaction resource to determine later on in ADMAccessControlListDAO.setFixedAcl if asynchronous call may be required
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY, true);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
//check if asynchronous call was required
Boolean asyncCallRequired = (Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY);
if (asyncCallRequired != null && asyncCallRequired)
{
//after transaction is committed FixedAclUpdater will be started in a new thread to process pending nodes
AlfrescoTransactionSupport.bindListener(fixedAclUpdater);
}
}
else
{
//regular method call
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
}
accessCache.clear();
}
/**
* @see org.alfresco.service.cmr.security.PermissionService#getInheritParentPermissions(org.alfresco.service.cmr.repository.NodeRef)
*/

6
source/java/org/alfresco/repo/security/permissions/noop/PermissionServiceNOOPImpl.java
View File

@@ -114,6 +114,12 @@ public class PermissionServiceNOOPImpl implements PermissionServiceSPI
// Do Nothing.
}
@Override
public void setInheritParentPermissions(NodeRef nodeRef, boolean inheritParentPermissions, boolean asyncCall)
{
// Do Nothing.
}
@Override
public boolean getInheritParentPermissions(NodeRef nodeRef)
{

403
source/test-java/org/alfresco/repo/domain/permissions/FixedAclUpdaterTest.java Normal file
View File

@@ -0,0 +1,403 @@
/*
* Copyright (C) 2005-2016 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.domain.permissions;
import java.util.HashSet;
import java.util.Set;
import junit.framework.TestCase;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.domain.node.NodeDAO;
import org.alfresco.repo.domain.node.NodeDAO.NodeRefQueryCallback;
import org.alfresco.repo.model.Repository;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.permissions.impl.PermissionsDaoComponent;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.TransactionListenerAdapter;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.model.FileFolderService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.ApplicationContextHelper;
import org.alfresco.util.ArgumentHelper;
import org.alfresco.util.Pair;
import org.junit.Test;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ConfigurableApplicationContext;
/**
* Test class for {@link FixedAclUpdater}
*
* @author Andreea Dragoi
* @since 4.2.7
*
*/
public class FixedAclUpdaterTest extends TestCase
{
private ApplicationContext ctx;
private RetryingTransactionHelper txnHelper;
private FileFolderService fileFolderService;
private Repository repository;
private FixedAclUpdater fixedAclUpdater;
private NodeRef folderNodeRef;
private PermissionsDaoComponent permissionsDaoComponent;
private NodeDAO nodeDAO;
@Override
public void setUp() throws Exception
{
ctx = ApplicationContextHelper.getApplicationContext();
ServiceRegistry serviceRegistry = (ServiceRegistry) ctx.getBean(ServiceRegistry.SERVICE_REGISTRY);
txnHelper = serviceRegistry.getTransactionService().getRetryingTransactionHelper();
fileFolderService = serviceRegistry.getFileFolderService();
repository = (Repository) ctx.getBean("repositoryHelper");
fixedAclUpdater = (FixedAclUpdater) ctx.getBean("fixedAclUpdater");
permissionsDaoComponent = (PermissionsDaoComponent) ctx.getBean("admPermissionsDaoComponent");
nodeDAO = (NodeDAO) ctx.getBean("nodeDAO");
AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getSystemUserName());
NodeRef home = repository.getCompanyHome();
// create a folder hierarchy for which will change permission inheritance
int[] filesPerLevel = { 5, 5, 10 };
RetryingTransactionCallback<NodeRef> cb = createFolderHierchyCallback(home, fileFolderService, "ROOT", filesPerLevel);
folderNodeRef = txnHelper.doInTransaction(cb);
// change setFixedAclMaxTransactionTime to lower value so setInheritParentPermissions on created folder hierarchy require async call
setFixedAclMaxTransactionTime(permissionsDaoComponent, home, 50);
}
private static void setFixedAclMaxTransactionTime(PermissionsDaoComponent permissionsDaoComponent, NodeRef folderNodeRef,
long fixedAclMaxTransactionTime)
{
if (permissionsDaoComponent instanceof ADMPermissionsDaoComponentImpl)
{
AccessControlListDAO acldao = ((ADMPermissionsDaoComponentImpl) permissionsDaoComponent).getACLDAO(folderNodeRef);
if (acldao instanceof ADMAccessControlListDAO)
{
ADMAccessControlListDAO admAcLDao = (ADMAccessControlListDAO) acldao;
admAcLDao.setFixedAclMaxTransactionTime(fixedAclMaxTransactionTime);
}
}
}
private static RetryingTransactionCallback<NodeRef> createFolderHierchyCallback(final NodeRef root,
final FileFolderService fileFolderService, final String rootName, final int[] filesPerLevel)
{
RetryingTransactionCallback<NodeRef> cb = new RetryingTransactionCallback<NodeRef>()
{
@Override
public NodeRef execute() throws Throwable
{
NodeRef parent = createFile(fileFolderService, root, rootName, ContentModel.TYPE_FOLDER);
createFolderHierchy(fileFolderService, parent, 0, filesPerLevel);
return parent;
}
};
return cb;
}
@Override
public void tearDown() throws Exception
{
// delete created folder hierarchy
try
{
txnHelper.doInTransaction(new RetryingTransactionCallback<Void>()
{
@Override
public Void execute() throws Throwable
{
Set<QName> aspect = new HashSet<>();
aspect.add(ContentModel.ASPECT_TEMPORARY);
nodeDAO.addNodeAspects(nodeDAO.getNodePair(folderNodeRef).getFirst(), aspect);
fileFolderService.delete(folderNodeRef);
return null;
}
});
}
catch (Exception e)
{
}
AuthenticationUtil.clearCurrentSecurityContext();
}
private static NodeRef createFile(FileFolderService fileFolderService, NodeRef parent, String name, QName type)
{
return fileFolderService.create(parent, name + "_" + System.currentTimeMillis(), type).getNodeRef();
}
/**
* Get number of nodes with ASPECT_PENDING_FIX_ACL
*/
private int getNodesCountWithPendingFixedAclAspect()
{
final Set<QName> aspects = new HashSet<>(1);
aspects.add(ContentModel.ASPECT_PENDING_FIX_ACL);
GetNodesCountWithAspectCallback callback = new GetNodesCountWithAspectCallback();
nodeDAO.getNodesWithAspects(aspects, 1L, null, callback);
return callback.getNodesNumber();
}
@Test
public void testMNT15368()
{
txnHelper.doInTransaction(new RetryingTransactionCallback<Void>()
{
@Override
public Void execute() throws Throwable
{
// call setInheritParentPermissions on a node that will required async
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY, true);
permissionsDaoComponent.setInheritParentPermissions(folderNodeRef, false);
Boolean asyncCallRequired = (Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY);
if (asyncCallRequired != null && asyncCallRequired)
{
// check if there are nodes with ASPECT_PENDING_FIX_ACL
assertTrue(" No nodes with pending aspect", getNodesCountWithPendingFixedAclAspect() > 0);
AlfrescoTransactionSupport.bindListener(new TransactionListenerAdapter()
{
@Override
public void afterCommit()
{
// start fixedAclUpdater
Thread t = new Thread(new Runnable()
{
@Override
public void run()
{
fixedAclUpdater.execute();
}
});
t.start();
try
{
// wait to finish work
t.join();
}
catch (InterruptedException e)
{
}
}
});
}
return null;
}
});
// check if nodes with ASPECT_PENDING_FIX_ACL are processed
assertTrue("Not all nodes were processed", getNodesCountWithPendingFixedAclAspect() == 0);
}
private static class GetNodesCountWithAspectCallback implements NodeRefQueryCallback
{
int nodesNumber = 0;
@Override
public boolean handle(Pair<Long, NodeRef> nodePair)
{
nodesNumber++;
return true;
}
public int getNodesNumber()
{
return nodesNumber;
}
}
/**
* Creates a level in folder/file hierarchy. Intermediate levels will
* contain folders and last ones files
*
* @param fileFolderService
* @param parent
* - parent node of the of hierarchy level
* @param level
* - zero based
* @param filesPerLevel
* - array containing number of folders/files per level
*/
private static void createFolderHierchy(FileFolderService fileFolderService, NodeRef parent, int level, int[] filesPerLevel)
{
int levels = filesPerLevel.length;
// intermediate level
if (level < levels - 1)
{
int numFiles = filesPerLevel[level];
for (int i = 0; i < numFiles; i++)
{
NodeRef node = createFile(fileFolderService, parent, "LVL" + level + i, ContentModel.TYPE_FOLDER);
createFolderHierchy(fileFolderService, node, level + 1, filesPerLevel);
}
}
// last level
else if (level == levels - 1)
{
int numFiles = filesPerLevel[level];
for (int i = 0; i < numFiles; i++)
{
createFile(fileFolderService, parent, "File" + i, ContentModel.TYPE_CONTENT);
}
}
}
/**
* Create a folder hierarchy and start FixedAclUpdater. See {@link #getUsage()} for usage parameters
*/
public static void main(String... args)
{
ConfigurableApplicationContext ctx = (ConfigurableApplicationContext) ApplicationContextHelper.getApplicationContext();
try
{
run(ctx, args);
}
catch (Exception e)
{
System.out.println("Failed to run FixedAclUpdaterTest test");
e.printStackTrace();
}
finally
{
ctx.close();
}
}
public static void run(final ApplicationContext ctx, String... args) throws InterruptedException
{
ArgumentHelper argHelper = new ArgumentHelper(getUsage(), args);
int threadCount = argHelper.getIntegerValue("threads", true, 1, 100);
String levels[] = argHelper.getStringValue("filesPerLevel", true, true).split(",");
int fixedAclMaxTransactionTime = argHelper.getIntegerValue("fixedAclMaxTransactionTime", true, 1, 10000);
final int[] filesPerLevel = new int[levels.length];
for (int i = 0; i < levels.length; i++)
{
filesPerLevel[i] = Integer.parseInt(levels[i]);
}
ServiceRegistry serviceRegistry = (ServiceRegistry) ctx.getBean(ServiceRegistry.SERVICE_REGISTRY);
final RetryingTransactionHelper txnHelper = serviceRegistry.getTransactionService().getRetryingTransactionHelper();
final FileFolderService fileFolderService = serviceRegistry.getFileFolderService();
Repository repository = (Repository) ctx.getBean("repositoryHelper");
final FixedAclUpdater fixedAclUpdater = (FixedAclUpdater) ctx.getBean("fixedAclUpdater");
final PermissionsDaoComponent permissionsDaoComponent = (PermissionsDaoComponent) ctx.getBean("admPermissionsDaoComponent");
AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getSystemUserName());
NodeRef home = repository.getCompanyHome();
final NodeRef root = createFile(fileFolderService, home, "ROOT", ContentModel.TYPE_FOLDER);
// create a folder hierarchy for which will change permission inheritance
Thread[] threads = new Thread[threadCount];
for (int i = 0; i < threadCount; i++)
{
final int index = i;
Thread t = new Thread(new Runnable()
{
@Override
public void run()
{
AuthenticationUtil.runAs(new RunAsWork<Void>()
{
@Override
public Void doWork() throws Exception
{
RetryingTransactionCallback<NodeRef> cb = createFolderHierchyCallback(root, fileFolderService, "FOLDER" + index, filesPerLevel);
txnHelper.doInTransaction(cb);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
});
t.start();
threads[i] = t;
}
for (int i = 0; i < threads.length; i++)
{
threads[i].join();
}
setFixedAclMaxTransactionTime(permissionsDaoComponent, home, fixedAclMaxTransactionTime);
txnHelper.doInTransaction(new RetryingTransactionCallback<Void>()
{
@Override
public Void execute() throws Throwable
{
// call setInheritParentPermissions on a node that will required async
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY, true);
final long startTime = System.currentTimeMillis();
permissionsDaoComponent.setInheritParentPermissions(root, false);
Boolean asyncCallRequired = (Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY);
if (asyncCallRequired != null && asyncCallRequired)
{
// check if there are nodes with ASPECT_PENDING_FIX_ACL
AlfrescoTransactionSupport.bindListener(new TransactionListenerAdapter()
{
@Override
public void afterCommit()
{
long userEndTime = System.currentTimeMillis();
// start fixedAclUpdater
Thread t = new Thread(new Runnable()
{
@Override
public void run()
{
fixedAclUpdater.execute();
}
});
t.start();
try
{
// wait to finish work
t.join();
System.out.println("Backend time " + (System.currentTimeMillis() - startTime));
System.out.println("User time " + (userEndTime - startTime));
}
catch (InterruptedException e)
{
}
}
});
}
return null;
}
}, false, true);
}
private static String getUsage()
{
StringBuilder sb = new StringBuilder();
sb.append("FixedAclUpdaterTest usage: ").append("\n");
sb.append(" FixedAclUpdaterTest --threads=<threadcount> --fixedAclMaxTransactionTime=<maxtime> --filesPerLevel=<levelfiles>").append("\n");
sb.append(" maxtime: max transaction time for fixed acl ").append("\n");
sb.append(" threadcount: number of threads to create the folder hierarchy ").append("\n");
sb.append(" levelfiles: number of folders/files per level separated by comma").append("\n");
return sb.toString();
}
}

3
source/test-java/org/alfresco/repo/security/SecurityTestSuite.java
View File

@@ -22,6 +22,7 @@ import junit.framework.JUnit4TestAdapter;
import junit.framework.Test;
import junit.framework.TestSuite;
import org.alfresco.repo.domain.permissions.FixedAclUpdaterTest;
import org.alfresco.repo.ownable.impl.OwnableServiceTest;
import org.alfresco.repo.security.authentication.AlfrescoSSLSocketFactoryTest;
import org.alfresco.repo.security.authentication.AuthenticationBootstrapTest;
@@ -85,6 +86,8 @@ public class SecurityTestSuite extends TestSuite
suite.addTest(new JUnit4TestAdapter(HomeFolderProviderSynchronizerTest.class));
suite.addTest(new JUnit4TestAdapter(AlfrescoSSLSocketFactoryTest.class));
suite.addTestSuite(FixedAclUpdaterTest.class);
return suite;
}
}