mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-07 18:25:23 +00:00
36311: BDE-69: filter long tests if minimal.testing property is defined 36314: Merged V4.0 to V4.0-BUG-FIX (RECORD ONLY) 36247: ALF-11027: temporarily remove import of maven.xml, since it makes ant calls fail from enterpriseprojects 36331: ALF-12447: Further changes required to fix lower case meta-inf folder name 36333: Revert ALF-12447. 36334: ALF-14115: Merged V3.4-BUG-FIX to V4.0-BUG-FIX 36318: ALF-12447: Fix case on META-INF folder for SDK 36332: ALF-12447: Further changes required to fix lower case meta-inf folder name 36337: ALF-14115: Merged V3.4-BUG-FIX to V4.0-BUG-FIX 36332: ALF-12447: Yet more meta-inf case changes needed. 36342: ALF-14120: fix only completed tasks returned 36343: ALF-13898: starting workflow from IMAP now using workflowDefs with engine name included, fallback to appending $jbpm when not present, to preserve backwards compatibility. 36345: Fix for ALF-12730 - Email Space Users fails if template is used 36346: Fix for ALF-9466 - We can search contents sorted by categories in Advanced search in Share, but saved search will not be shown in UI. 36364: Switch version to 4.0.3 36375: Merged BRANCHES/DEV/CLOUDSYNCLOCAL2 to BRANCHES/DEV/V4.0-BUG-FIX: 36366: Tweak to implementation to ensure that on-authentication-failed, the status is updated within a r/w transaction. 36374: Provide more specific exceptions from the Remote Connector Service for client and server errors 36376: Fix ALF-14121 - Alfresco fails to start if using "replicating-content-services-context.xml" 36393: Final part of ALF-13723 SOLR does not include the same query unit tests as lucene - CMIS typed query and ordering tests 36432: ALF-14133: Merged V3.4-BUG-FIX (3.4.10) to V4.0-BUG-FIX (4.0.3) << 4.0.x specific change: Changed transformer.complex.OOXML.Image into transformer.complex.Any.Image >> << allowing any transformer to be selected for the conversion to JPEG >> 36427: ALF-14131 Complex transformers fail if a lower level transformer fails even though there is another transformer that could do the transformation - Added a base spring bean for all complex transformers 36362: ALF-14131 Complex transformers fail if a lower level transformer fails even though there is another transformer that could do the transformation 36434: Test fix for ALF-13723 SOLR does not include the same query unit tests as lucene - CMIS test data change broke AFTS ID ordering 36503: Removed thousands of compiler warnings (CMIS query test code) 36518: Fix for ALF-13778 - Links on Share Repository search page show incorrect link name; do not work when root-node is defined. Fix now means that Share search correctly handles overridden Repository root node setting. Original work by Vasily Olhin. 36520: BDE-69: filter all repo tests if minimal.testing property is defined 36534: ALF-14116: Latest Surf libs (r1075) - ensure that i18n extensions can process browser sent short locales 36563: Merged V3.4-BUG-FIX to V4.0-BUG-FIX 36336: ALF-12447: Yet more meta-inf case changes needed. 36347: Fix for ALF-13920 - Error occurred when try to edit/delete category 36352: Fix for ALF-13123 - Invalid JSON format from Get Node Tags Webscript - strings not double-quoted. Also fixed POST webscript with same issue. 36399: ALL LANG: translation updates based on EN r36392 36421: Fix for Mac Lion versioning issue. ALF-12792 (Part 1 of 2) Enable the InfoPassthru and Level2Oplocks server capability flags, InfoPassthru is the flag that fixes the Mac Lion versioning error. Added support for filesystems that do not implement the NTFS streams interface in the CIFS transact rename processing, for the Alfresco repo filesystem. 36422: Fix for Mac Lion versioning issue. ALF-12792 (Part 2 of 2) Enable the InfoPassthru and Level2Oplocks server capability flags, InfoPassthru is the flag that fixes the Mac Lion versioning error. 36423: Add support for file size tracking in the file state. ALF-13616 (Part 1 of 2) 36424: Fix for Mac MS Word file save issue. ALF-13616 (Part 2 of 2) Added live file size tracking to file writing/folder searches so the correct file size is returned before the file is closed. 36444: Merged DEV to V3.4-BUG-FIX 36419: ALF-12666 Search against simple-search-additional-attributes doesn't work properly SearchContext.buildQuery(int) method was changed. 36446: Fix for ALF-13404 - Performance: 'Content I'm Editing' dashlet is slow to render when there is lots of data/sites - Effectively removed all PATH based queries using the pattern /companyhome/sites/*/container//* as they are a non-optimized case - Replaced the "all sites" doclist query using the above pattern with /companyhome/sites//* plus post query resultset processing based on documentLibrary container matching regex - Optimized favorite document query to remove need for a PATH - Optimized Content I'm Editing discussion PATH query to use /*/* instead of /*//* - Fixed issue where Content I'm Editing discussion results would not always show the root topics that a user has edited - Added some addition doclist.get.js query scriptlogger debugging output 36449: ALF-13404 - Fix for issue where favoriates for all sites would be shown in each site document library in the My Favorites filter. 36475: ALF-14131 Complex transformers fail if a lower level transformer fails even though there is another transformer that could do the transformation - Change base spring bean on example config file 36480: 36453: ALF-3881 : ldap sync deletion behaviour not flexible enough - synchronization.allowDeletions parameter introduced - default value is true (existing behaviour) - when false, no missing users or groups are deleted from the repository - instead they are cleared of their zones and missing groups are cleared of all their members - colliding users and groups from different zones are also 'moved' rather than recreated - unit test added 36491: Added CIFS transact2 NT passthru levels for set end of file/set allocation size. ALF-13616. Also updated FileInfoLevel with the latest list of NT passthru information levels. 36497: Fixed ALF-14163: JavaScript Behaviour broken: Node properties cannot be cast to java.io.Serializable - Fallout from ALF-12855 - Made class Serializable (like HashMap would have been) - Fixed line endings, too 36531: ALF-13769: Merged BELARUS/V3.4-BUG-FIX-2012_04_05 to V3.4-BUG-FIX (3.4.10) 35150: ALF-2645 : 3.2+ ldap sync debug information is too scarce - Improved LDAP logging. 36532: ALF-13769: BRANCHES/DEV/BELARUS/V3.4-BUG-FIX-2012_01_26 to V3.4-BUG-FIX (3.4.10) 36461: ALF-237: WCM: File conflicts cause file order not to be consistent - It is reasonable set values for checkboxes using the indexes from the list, which are not changed. So when we submit the window, the getSelectedNodes method is invoked and it takes selected nodes by checkbox values from "paths" list. 36535: Merged DEV to V3.4-BUG-FIX 36479: ALF-8918 : Cannot "edit offline" a web quick start publication A check in TaggableAspect.onUpdatePropertiesOnCommit() was extended to skip the update, if no tags were changed. 36555: Merged V3.4 to V3.4-BUG-FIX 36294: ALF-14039: Merged HEAD to V3.4 31732: ALF-10934: Prevent potential start/stop ping-pong of subsystems across a cluster - When a cluster boots up or receives a reinit message it shouldn't be sending out any start messages 36566: Merged V3.4-BUG-FIX to V4.0-BUG-FIX (RECORD ONLY) 36172: Merged BRANCHES/DEV/V4.0-BUG-FIX to BRANCHES/DEV/V3.4-BUG-FIX: 36169: ALF-8755: After renaming content / space by Contributor via WebDAV new items are created 36572: Merged V4.0 to V4.0-BUG-FIX 36388: ALF-14025: Updated Surf libs (1071). Fixes to checksum-disabled dependency handling 36392: ALF-14129 Failed to do upgrade from 3.4.8 to 4.0.2 << Committed change for Frederik Heremans >> - Moved actual activiti-tables creation to before the upgrade 36409: Fix for ALF-14124 Solr is not working - Errors occur during the startup 36466: Fix for ALF-12770 - Infinite loop popup alert in TinyMCE after XSS injection in Alfresco Explorer online edit. 36501: Merged DEV to V4.0 36496: ALF-14063 : CLONE - Internet Explorer hangs when using the object picker with a larger number of documents YUI 2.9.0 library was modified to use chunked unloading of listeners via a series of setTimeout() functions in event.js for IE 6,7,8. 36502: ALF-14105: Share Advanced search issue with the form values - Fix by David We 36538: ALF-13986: Updated web.xml and index.jsp redirect to ensure that SSO works with proper surf site-configuration customization 36539: Fix for ALF-14167 Filtering by Tags/Categories doen't findes any content in Repository/DocumentLibrary - fix default namespace back to "" -> "" and fix the specific SOLR tests that require otherwise. 36541: ALF-14082: Input stream leaks in thumbnail rendering webscripts 36560: Correctly size content length header after HTML stripping process (ALF-9365) 36574: Merged V4.0 to V4.0-BUG-FIX (RECORD ONLY) 36316: Merged V4.0-BUG-FIX to V4.0 (4.0.2) 36391: Merged V4.0-BUG-FIX to V4.0 36376: Fix ALF-14121 - Alfresco fails to start if using "replicating-content-services-context.xml" git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@36576 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
1927 lines
93 KiB
Java
1927 lines
93 KiB
Java
/*
|
|
* Copyright (C) 2005-2012 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.repo.security.sync;
|
|
|
|
import java.io.IOException;
|
|
import java.io.Serializable;
|
|
import java.io.UnsupportedEncodingException;
|
|
import java.net.URLDecoder;
|
|
import java.text.DateFormat;
|
|
import java.util.Collection;
|
|
import java.util.Collections;
|
|
import java.util.Date;
|
|
import java.util.Deque;
|
|
import java.util.HashMap;
|
|
import java.util.HashSet;
|
|
import java.util.Iterator;
|
|
import java.util.LinkedHashMap;
|
|
import java.util.LinkedList;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
import java.util.TreeMap;
|
|
import java.util.TreeSet;
|
|
import java.util.concurrent.ScheduledExecutorService;
|
|
import java.util.concurrent.ScheduledThreadPoolExecutor;
|
|
import java.util.concurrent.TimeUnit;
|
|
|
|
import javax.management.AttributeNotFoundException;
|
|
import javax.management.InstanceNotFoundException;
|
|
import javax.management.IntrospectionException;
|
|
import javax.management.MBeanAttributeInfo;
|
|
import javax.management.MBeanException;
|
|
import javax.management.MBeanInfo;
|
|
import javax.management.MBeanServerConnection;
|
|
import javax.management.MalformedObjectNameException;
|
|
import javax.management.ObjectName;
|
|
import javax.management.ReflectionException;
|
|
|
|
import org.alfresco.model.ContentModel;
|
|
import org.alfresco.repo.batch.BatchProcessor;
|
|
import org.alfresco.repo.batch.BatchProcessor.BatchProcessWorker;
|
|
import org.alfresco.repo.lock.JobLockService;
|
|
import org.alfresco.repo.lock.LockAcquisitionException;
|
|
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
|
import org.alfresco.repo.management.subsystems.ChildApplicationContextManager;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
|
import org.alfresco.repo.security.authority.UnknownAuthorityException;
|
|
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
|
import org.alfresco.repo.transaction.AlfrescoTransactionSupport.TxnReadState;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
|
|
import org.alfresco.service.cmr.attributes.AttributeService;
|
|
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
|
|
import org.alfresco.service.cmr.rule.RuleService;
|
|
import org.alfresco.service.cmr.security.AuthorityService;
|
|
import org.alfresco.service.cmr.security.AuthorityType;
|
|
import org.alfresco.service.cmr.security.PersonService;
|
|
import org.alfresco.service.namespace.NamespaceService;
|
|
import org.alfresco.service.namespace.QName;
|
|
import org.alfresco.service.transaction.TransactionService;
|
|
import org.alfresco.util.PropertyMap;
|
|
import org.alfresco.util.TraceableThreadFactory;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
|
|
import org.springframework.context.ApplicationContext;
|
|
import org.springframework.context.ApplicationEvent;
|
|
import org.springframework.context.ApplicationEventPublisher;
|
|
import org.springframework.context.ApplicationEventPublisherAware;
|
|
import org.springframework.dao.ConcurrencyFailureException;
|
|
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
|
|
|
|
/**
|
|
* A <code>ChainingUserRegistrySynchronizer</code> is responsible for synchronizing Alfresco's local user (person) and
|
|
* group (authority) information with the external subsystems in the authentication chain (most typically LDAP
|
|
* directories). When the {@link #synchronize(boolean)} method is called, it visits each {@link UserRegistry} bean in
|
|
* the 'chain' of application contexts, managed by a {@link ChildApplicationContextManager}, and compares its
|
|
* timestamped user and group information with the local users and groups last retrieved from the same source. Any
|
|
* updates and additions made to those users and groups are applied to the local copies. The ordering of each
|
|
* {@link UserRegistry} in the chain determines its precedence when it comes to user and group name collisions. The
|
|
* {@link JobLockService} is used to ensure that in a cluster, no two nodes actually run a synchronize at the same time.
|
|
* <p>
|
|
* The <code>force</code> argument determines whether a complete or partial set of information is queried from the
|
|
* {@link UserRegistry}. When <code>true</code> then <i>all</i> users and groups are queried. With this complete set of
|
|
* information, the synchronizer is able to identify which users and groups have been deleted, so it will delete users
|
|
* and groups as well as update and create them. Since processing all users and groups may be fairly time consuming, it
|
|
* is recommended this mode is only used by a background scheduled synchronization job. When the argument is
|
|
* <code>false</code> then only those users and groups modified since the most recent modification date of all the
|
|
* objects last queried from the same {@link UserRegistry} are retrieved. In this mode, local users and groups are
|
|
* created and updated, but not deleted (except where a name collision with a lower priority {@link UserRegistry} is
|
|
* detected). This 'differential' mode is much faster, and by default is triggered on subsystem startup and also by
|
|
* {@link #createMissingPerson(String)} when a user is successfully authenticated who doesn't yet have a local person
|
|
* object in Alfresco. This should mean that new users and their group information are pulled over from LDAP servers as
|
|
* and when required.
|
|
*
|
|
* @author dward
|
|
*/
|
|
public class ChainingUserRegistrySynchronizer extends AbstractLifecycleBean implements UserRegistrySynchronizer,
|
|
ApplicationEventPublisherAware
|
|
{
|
|
/** The logger. */
|
|
private static final Log logger = LogFactory.getLog(ChainingUserRegistrySynchronizer.class);
|
|
|
|
/** The name of the lock used to ensure that a synchronize does not run on more than one node at the same time. */
|
|
private static final QName LOCK_QNAME = QName.createQName(NamespaceService.SYSTEM_MODEL_1_0_URI,
|
|
"ChainingUserRegistrySynchronizer");
|
|
|
|
/** The time this lock will persist for in the database (now only 2 minutes but refreshed at regular intervals). */
|
|
private static final long LOCK_TTL = 1000 * 60 * 2;
|
|
|
|
/** The path in the attribute service below which we persist attributes. */
|
|
public static final String ROOT_ATTRIBUTE_PATH = ".ChainingUserRegistrySynchronizer";
|
|
|
|
/** The label under which the last group modification timestamp is stored for each zone. */
|
|
private static final String GROUP_LAST_MODIFIED_ATTRIBUTE = "GROUP";
|
|
|
|
/** The label under which the last user modification timestamp is stored for each zone. */
|
|
private static final String PERSON_LAST_MODIFIED_ATTRIBUTE = "PERSON";
|
|
|
|
/** The manager for the autentication chain to be traversed. */
|
|
private ChildApplicationContextManager applicationContextManager;
|
|
|
|
/** The name used to look up a {@link UserRegistry} bean in each child application context. */
|
|
private String sourceBeanName;
|
|
|
|
/** The authority service. */
|
|
private AuthorityService authorityService;
|
|
|
|
/** The person service. */
|
|
private PersonService personService;
|
|
|
|
/** The attribute service. */
|
|
private AttributeService attributeService;
|
|
|
|
/** The transaction service. */
|
|
private TransactionService transactionService;
|
|
|
|
/** The rule service. */
|
|
private RuleService ruleService;
|
|
|
|
/** The job lock service. */
|
|
private JobLockService jobLockService;
|
|
|
|
/** The application event publisher. */
|
|
private ApplicationEventPublisher applicationEventPublisher;
|
|
|
|
/** Should we trigger a differential sync when missing people log in?. */
|
|
private boolean syncWhenMissingPeopleLogIn = true;
|
|
|
|
/** Should we trigger a differential sync on startup?. */
|
|
private boolean syncOnStartup = true;
|
|
|
|
/** Should we auto create a missing person on log in?. */
|
|
private boolean autoCreatePeopleOnLogin = true;
|
|
|
|
/** The number of entries to process before reporting progress. */
|
|
private int loggingInterval = 100;
|
|
|
|
/** The number of worker threads. */
|
|
private int workerThreads = 2;
|
|
|
|
private MBeanServerConnection mbeanServer;
|
|
|
|
/** Allow a full sync to perform deletions? */
|
|
private boolean allowDeletions = true;
|
|
|
|
/**
|
|
* Sets the application context manager.
|
|
*
|
|
* @param applicationContextManager
|
|
* the applicationContextManager to set
|
|
*/
|
|
public void setApplicationContextManager(ChildApplicationContextManager applicationContextManager)
|
|
{
|
|
this.applicationContextManager = applicationContextManager;
|
|
}
|
|
|
|
/**
|
|
* Sets the name used to look up a {@link UserRegistry} bean in each child application context.
|
|
*
|
|
* @param sourceBeanName
|
|
* the bean name
|
|
*/
|
|
public void setSourceBeanName(String sourceBeanName)
|
|
{
|
|
this.sourceBeanName = sourceBeanName;
|
|
}
|
|
|
|
/**
|
|
* Sets the authority service.
|
|
*
|
|
* @param authorityService
|
|
* the new authority service
|
|
*/
|
|
public void setAuthorityService(AuthorityService authorityService)
|
|
{
|
|
this.authorityService = authorityService;
|
|
}
|
|
|
|
/**
|
|
* Sets the person service.
|
|
*
|
|
* @param personService
|
|
* the new person service
|
|
*/
|
|
public void setPersonService(PersonService personService)
|
|
{
|
|
this.personService = personService;
|
|
}
|
|
|
|
/**
|
|
* Sets the attribute service.
|
|
*
|
|
* @param attributeService
|
|
* the new attribute service
|
|
*/
|
|
public void setAttributeService(AttributeService attributeService)
|
|
{
|
|
this.attributeService = attributeService;
|
|
}
|
|
|
|
/**
|
|
* Sets the transaction service.
|
|
*
|
|
* @param transactionService
|
|
* the transaction service
|
|
*/
|
|
public void setTransactionService(TransactionService transactionService)
|
|
{
|
|
this.transactionService = transactionService;
|
|
}
|
|
|
|
/**
|
|
* Sets the rule service.
|
|
*
|
|
* @param ruleService
|
|
* the new rule service
|
|
*/
|
|
public void setRuleService(RuleService ruleService)
|
|
{
|
|
this.ruleService = ruleService;
|
|
}
|
|
|
|
/**
|
|
* Sets the job lock service.
|
|
*
|
|
* @param jobLockService
|
|
* the job lock service
|
|
*/
|
|
public void setJobLockService(JobLockService jobLockService)
|
|
{
|
|
this.jobLockService = jobLockService;
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see
|
|
* org.springframework.context.ApplicationEventPublisherAware#setApplicationEventPublisher(org.springframework.context
|
|
* .ApplicationEventPublisher)
|
|
*/
|
|
public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
|
|
{
|
|
this.applicationEventPublisher = applicationEventPublisher;
|
|
}
|
|
|
|
/**
|
|
* Controls whether we auto create a missing person on log in.
|
|
*
|
|
* @param autoCreatePeopleOnLogin
|
|
* <code>true</code> if we should auto create a missing person on log in
|
|
*/
|
|
public void setAutoCreatePeopleOnLogin(boolean autoCreatePeopleOnLogin)
|
|
{
|
|
this.autoCreatePeopleOnLogin = autoCreatePeopleOnLogin;
|
|
}
|
|
|
|
/**
|
|
* Controls whether we trigger a differential sync when missing people log in.
|
|
*
|
|
* @param syncWhenMissingPeopleLogIn
|
|
* <codetrue</code> if we should trigger a sync when missing people log in
|
|
*/
|
|
public void setSyncWhenMissingPeopleLogIn(boolean syncWhenMissingPeopleLogIn)
|
|
{
|
|
this.syncWhenMissingPeopleLogIn = syncWhenMissingPeopleLogIn;
|
|
}
|
|
|
|
/**
|
|
* Controls whether we trigger a differential sync when the subsystem starts up.
|
|
*
|
|
* @param syncOnStartup
|
|
* <codetrue</code> if we should trigger a sync on startup
|
|
*/
|
|
public void setSyncOnStartup(boolean syncOnStartup)
|
|
{
|
|
this.syncOnStartup = syncOnStartup;
|
|
}
|
|
|
|
/**
|
|
* Sets the number of entries to process before reporting progress.
|
|
*
|
|
* @param loggingInterval
|
|
* the number of entries to process before reporting progress or zero to disable progress reporting.
|
|
*/
|
|
public void setLoggingInterval(int loggingInterval)
|
|
{
|
|
this.loggingInterval = loggingInterval;
|
|
}
|
|
|
|
/**
|
|
* Sets the number of worker threads.
|
|
*
|
|
* @param workerThreads
|
|
* the number of worker threads
|
|
*/
|
|
public void setWorkerThreads(int workerThreads)
|
|
{
|
|
this.workerThreads = workerThreads;
|
|
}
|
|
|
|
/**
|
|
* Fullsync is run with deletions. By default is set to true.
|
|
*
|
|
* @param allowDeletions
|
|
*/
|
|
public void setAllowDeletions(boolean allowDeletions)
|
|
{
|
|
this.allowDeletions = allowDeletions;
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#synchronize(boolean, boolean, boolean)
|
|
*/
|
|
public void synchronize(boolean forceUpdate, boolean isFullSync, final boolean splitTxns)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
|
|
if (forceUpdate)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Running a full sync.");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Running a differential sync.");
|
|
}
|
|
if (allowDeletions)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("deletions are allowed");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("deletions are not allowed");
|
|
}
|
|
// Don't proceed with the sync if the repository is read only
|
|
if (this.transactionService.isReadOnly())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Unable to proceed with user registry synchronization. Repository is read only.");
|
|
return;
|
|
}
|
|
}
|
|
|
|
// Don't proceed with the sync if the repository is read only
|
|
if (this.transactionService.isReadOnly())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Unable to proceed with user registry synchronization. Repository is read only.");
|
|
return;
|
|
}
|
|
|
|
// Create a background executor that will refresh our lock. This means we can request a lock with a relatively
|
|
// small persistence time and not worry about it lasting after server restarts. Note we use an independent
|
|
// executor because this is a compound operation that spans accross multiple batch processors.
|
|
String lockToken = null;
|
|
TraceableThreadFactory threadFactory = new TraceableThreadFactory();
|
|
threadFactory.setNamePrefix("ChainingUserRegistrySynchronizer lock refresh");
|
|
threadFactory.setThreadDaemon(true);
|
|
ScheduledExecutorService lockRefresher = new ScheduledThreadPoolExecutor(1, threadFactory);
|
|
|
|
// Let's ensure all exceptions get logged
|
|
try
|
|
{
|
|
// First, try to obtain a lock to ensure we are the only node trying to run this job
|
|
try
|
|
{
|
|
if (splitTxns)
|
|
{
|
|
// If this is an automated sync on startup or scheduled sync, don't even wait around for the lock.
|
|
// Assume the sync will be completed on another node.
|
|
lockToken = this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<String>()
|
|
{
|
|
public String execute() throws Throwable
|
|
{
|
|
return ChainingUserRegistrySynchronizer.this.jobLockService.getLock(
|
|
ChainingUserRegistrySynchronizer.LOCK_QNAME,
|
|
ChainingUserRegistrySynchronizer.LOCK_TTL, 0, 1);
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
else
|
|
{
|
|
// If this is a login-triggered sync, give it a few retries before giving up
|
|
lockToken = this.jobLockService.getLock(ChainingUserRegistrySynchronizer.LOCK_QNAME,
|
|
ChainingUserRegistrySynchronizer.LOCK_TTL, 3000, 10);
|
|
}
|
|
}
|
|
catch (LockAcquisitionException e)
|
|
{
|
|
// Don't proceed with the sync if it is running on another node
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("User registry synchronization already running in another thread. Synchronize aborted");
|
|
return;
|
|
}
|
|
|
|
// Schedule the lock refresh to run at regular intervals
|
|
final String token = lockToken;
|
|
lockRefresher.scheduleAtFixedRate(new Runnable()
|
|
{
|
|
public void run()
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper()
|
|
.doInTransaction(new RetryingTransactionCallback<Object>()
|
|
{
|
|
public Object execute() throws Throwable
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.jobLockService.refreshLock(token,
|
|
ChainingUserRegistrySynchronizer.LOCK_QNAME,
|
|
ChainingUserRegistrySynchronizer.LOCK_TTL);
|
|
return null;
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
}, ChainingUserRegistrySynchronizer.LOCK_TTL / 2, ChainingUserRegistrySynchronizer.LOCK_TTL / 2,
|
|
TimeUnit.MILLISECONDS);
|
|
|
|
Set<String> visitedZoneIds = new TreeSet<String>();
|
|
Collection<String> instanceIds = this.applicationContextManager.getInstanceIds();
|
|
|
|
// Work out the set of all zone IDs in the authentication chain so that we can decide which users / groups
|
|
// need 're-zoning'
|
|
Set<String> allZoneIds = new TreeSet<String>();
|
|
for (String id : instanceIds)
|
|
{
|
|
allZoneIds.add(AuthorityService.ZONE_AUTH_EXT_PREFIX + id);
|
|
}
|
|
for (String id : instanceIds)
|
|
{
|
|
ApplicationContext context = this.applicationContextManager.getApplicationContext(id);
|
|
try
|
|
{
|
|
UserRegistry plugin = (UserRegistry) context.getBean(this.sourceBeanName);
|
|
if (!(plugin instanceof ActivateableBean) || ((ActivateableBean) plugin).isActive())
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
mbeanServer = (MBeanServerConnection) getApplicationContext().getBean("alfrescoMBeanServer");
|
|
try
|
|
{
|
|
StringBuilder nameBuff = new StringBuilder(200).append("Alfresco:Type=Configuration,Category=Authentication,id1=managed,id2=").append(
|
|
URLDecoder.decode(id, "UTF-8"));
|
|
ObjectName name = new ObjectName(nameBuff.toString());
|
|
if (mbeanServer != null && mbeanServer.isRegistered(name))
|
|
{
|
|
MBeanInfo info = mbeanServer.getMBeanInfo(name);
|
|
MBeanAttributeInfo[] attributes = info.getAttributes();
|
|
ChainingUserRegistrySynchronizer.logger.debug(id + " attributes:");
|
|
for (MBeanAttributeInfo attribute : attributes)
|
|
{
|
|
Object value = mbeanServer.getAttribute(name, attribute.getName());
|
|
ChainingUserRegistrySynchronizer.logger.debug(attribute.getName() + " = " + value);
|
|
}
|
|
}
|
|
}
|
|
catch(UnsupportedEncodingException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (MalformedObjectNameException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (InstanceNotFoundException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (IntrospectionException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (AttributeNotFoundException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (ReflectionException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (MBeanException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
catch (IOException e)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Exception during logging", e);
|
|
}
|
|
}
|
|
|
|
}
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.info("Synchronizing users and groups with user registry '" + id + "'");
|
|
}
|
|
if (isFullSync && ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Full synchronization with user registry '"
|
|
+ id + "'");
|
|
if (allowDeletions)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Some users and groups previously created by synchronization with this user registry may be removed.");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Deletions are disabled. Users and groups removed from this registry will be logged only and will remain in the repository. Users previously found in a different registry will be moved in the repository rather than recreated.");
|
|
}
|
|
}
|
|
// Work out whether we should do the work in a separate transaction (it's most performant if we
|
|
// bunch it into small transactions, but if we are doing a sync on login, it has to be the same
|
|
// transaction)
|
|
boolean requiresNew = splitTxns
|
|
|| AlfrescoTransactionSupport.getTransactionReadState() == TxnReadState.TXN_READ_ONLY;
|
|
|
|
syncWithPlugin(id, plugin, forceUpdate, isFullSync, requiresNew, visitedZoneIds, allZoneIds);
|
|
}
|
|
}
|
|
catch (NoSuchBeanDefinitionException e)
|
|
{
|
|
// Ignore and continue
|
|
}
|
|
|
|
}
|
|
}
|
|
catch (RuntimeException e)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.error("Synchronization aborted due to error", e);
|
|
throw e;
|
|
}
|
|
// Release the lock if necessary
|
|
finally
|
|
{
|
|
if (lockToken != null)
|
|
{
|
|
// Cancel the lock refresher
|
|
// Because we may hit a perfect storm when trying to interrupt workers in their unsynchronized getTask()
|
|
// method we can't wait indefinitely and may have to retry the shutdown
|
|
int trys = 0;
|
|
do
|
|
{
|
|
lockRefresher.shutdown();
|
|
try
|
|
{
|
|
lockRefresher
|
|
.awaitTermination(ChainingUserRegistrySynchronizer.LOCK_TTL, TimeUnit.MILLISECONDS);
|
|
}
|
|
catch (InterruptedException e)
|
|
{
|
|
}
|
|
}
|
|
while (!lockRefresher.isTerminated() && trys++ < 3);
|
|
if (!lockRefresher.isTerminated())
|
|
{
|
|
lockRefresher.shutdownNow();
|
|
ChainingUserRegistrySynchronizer.logger.error("Failed to shut down lock refresher");
|
|
}
|
|
|
|
final String token = lockToken;
|
|
this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<Object>()
|
|
{
|
|
public Object execute() throws Throwable
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.jobLockService.releaseLock(token,
|
|
ChainingUserRegistrySynchronizer.LOCK_QNAME);
|
|
return null;
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#getPersonMappedProperties(java.lang.String)
|
|
*/
|
|
public Set<QName> getPersonMappedProperties(String username)
|
|
{
|
|
Set<String> authorityZones = this.authorityService.getAuthorityZones(username);
|
|
if (authorityZones == null)
|
|
{
|
|
return Collections.emptySet();
|
|
}
|
|
Collection<String> instanceIds = this.applicationContextManager.getInstanceIds();
|
|
|
|
// Visit the user registries in priority order and return the person mapping of the first registry that matches
|
|
// one of the person's zones
|
|
for (String id : instanceIds)
|
|
{
|
|
String zoneId = AuthorityService.ZONE_AUTH_EXT_PREFIX + id;
|
|
if (!authorityZones.contains(zoneId))
|
|
{
|
|
continue;
|
|
}
|
|
ApplicationContext context = this.applicationContextManager.getApplicationContext(id);
|
|
try
|
|
{
|
|
UserRegistry plugin = (UserRegistry) context.getBean(this.sourceBeanName);
|
|
if (!(plugin instanceof ActivateableBean) || ((ActivateableBean) plugin).isActive())
|
|
{
|
|
return plugin.getPersonMappedProperties();
|
|
}
|
|
}
|
|
catch (NoSuchBeanDefinitionException e)
|
|
{
|
|
// Ignore and continue
|
|
}
|
|
}
|
|
|
|
return Collections.emptySet();
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @see org.alfresco.repo.security.sync.UserRegistrySynchronizer#createMissingPerson(java.lang.String)
|
|
*/
|
|
public boolean createMissingPerson(String userName)
|
|
{
|
|
// synchronize or auto-create the missing person if we are allowed
|
|
if (userName != null && !userName.equals(AuthenticationUtil.getSystemUserName()))
|
|
{
|
|
if (this.syncWhenMissingPeopleLogIn)
|
|
{
|
|
try
|
|
{
|
|
synchronize(false, false, false);
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
// We don't want to fail the whole login if we can help it
|
|
ChainingUserRegistrySynchronizer.logger.warn(
|
|
"User authenticated but failed to sync with user registry", e);
|
|
}
|
|
if (this.personService.personExists(userName))
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
if (this.autoCreatePeopleOnLogin && this.personService.createMissingPeople())
|
|
{
|
|
AuthorityType authorityType = AuthorityType.getAuthorityType(userName);
|
|
if (authorityType == AuthorityType.USER)
|
|
{
|
|
this.personService.getPerson(userName);
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Synchronizes local groups and users with a {@link UserRegistry} for a particular zone, optionally handling
|
|
* deletions.
|
|
*
|
|
* @param zone
|
|
* the zone id. This identifier is used to tag all created groups and users, so that in the future we can
|
|
* tell those that have been deleted from the registry.
|
|
* @param userRegistry
|
|
* the user registry for the zone.
|
|
* @param forceUpdate
|
|
* Should the complete set of users and groups be updated / created locally or just those known to have
|
|
* changed since the last sync? When <code>true</code> then <i>all</i> users and groups are queried from
|
|
* the user registry and updated locally. When <code>false</code> then each source is only queried for
|
|
* those users and groups modified since the most recent modification date of all the objects last
|
|
* queried from that same source.
|
|
* @param isFullSync
|
|
* Should a complete set of user and group IDs be queried from the user registries in order to determine
|
|
* deletions? This parameter is independent of <code>force</code> as a separate query is run to process
|
|
* updates.
|
|
* @param splitTxns
|
|
* Can the modifications to Alfresco be split across multiple transactions for maximum performance? If
|
|
* <code>true</code>, users and groups are created/updated in batches for increased performance. If
|
|
* <code>false</code>, all users and groups are processed in the current transaction. This is required if
|
|
* calling synchronously (e.g. in response to an authentication event in the same transaction).
|
|
* @param visitedZoneIds
|
|
* the set of zone ids already processed. These zones have precedence over the current zone when it comes
|
|
* to group name 'collisions'. If a user or group is queried that already exists locally but is tagged
|
|
* with one of the zones in this set, then it will be ignored as this zone has lower priority.
|
|
* @param allZoneIds
|
|
* the set of all zone ids in the authentication chain. Helps us work out whether the zone information
|
|
* recorded against a user or group is invalid for the current authentication chain and whether the user
|
|
* or group needs to be 're-zoned'.
|
|
*/
|
|
private void syncWithPlugin(final String zone, UserRegistry userRegistry, boolean forceUpdate,
|
|
boolean isFullSync, boolean splitTxns, final Set<String> visitedZoneIds, final Set<String> allZoneIds)
|
|
{
|
|
// Create a prefixed zone ID for use with the authority service
|
|
final String zoneId = AuthorityService.ZONE_AUTH_EXT_PREFIX + zone;
|
|
|
|
// The set of zones we associate with new objects (default plus registry specific)
|
|
final Set<String> zoneSet = getZones(zoneId);
|
|
|
|
long lastModifiedMillis = forceUpdate ? -1 : getMostRecentUpdateTime(
|
|
ChainingUserRegistrySynchronizer.GROUP_LAST_MODIFIED_ATTRIBUTE, zoneId, splitTxns);
|
|
Date lastModified = lastModifiedMillis == -1 ? null : new Date(lastModifiedMillis);
|
|
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
if (lastModified == null)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving all groups from user registry '" + zone + "'");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving groups changed since "
|
|
+ DateFormat.getDateTimeInstance().format(lastModified) + " from user registry '" + zone + "'");
|
|
}
|
|
}
|
|
|
|
// First, analyze the group structure. Create maps of authorities to their parents for associations to create
|
|
// and delete. Also deal with 'overlaps' with other zones in the authentication chain.
|
|
final BatchProcessor<NodeDescription> groupProcessor = new BatchProcessor<NodeDescription>(zone
|
|
+ " Group Analysis", this.transactionService.getRetryingTransactionHelper(), userRegistry
|
|
.getGroups(lastModified), this.workerThreads, 20, this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
|
|
class Analyzer extends BaseBatchProcessWorker<NodeDescription>
|
|
{
|
|
private final Map<String, String> groupsToCreate = new TreeMap<String, String>();
|
|
private final Map<String, Set<String>> personParentAssocsToCreate = newPersonMap();
|
|
private final Map<String, Set<String>> personParentAssocsToDelete = newPersonMap();
|
|
private Map<String, Set<String>> groupParentAssocsToCreate = new TreeMap<String, Set<String>>();
|
|
private final Map<String, Set<String>> groupParentAssocsToDelete = new TreeMap<String, Set<String>>();
|
|
private final Map<String, Set<String>> finalGroupChildAssocs = new TreeMap<String, Set<String>>();
|
|
private List<String> personsProcessed = new LinkedList<String>();
|
|
private Set<String> allZonePersons = Collections.emptySet();
|
|
private Set<String> deletionCandidates;
|
|
|
|
private long latestTime;
|
|
|
|
public Analyzer(final long latestTime)
|
|
{
|
|
this.latestTime = latestTime;
|
|
}
|
|
|
|
public long getLatestTime()
|
|
{
|
|
return this.latestTime;
|
|
}
|
|
|
|
public Set<String> getDeletionCandidates()
|
|
{
|
|
return this.deletionCandidates;
|
|
}
|
|
|
|
public String getIdentifier(NodeDescription entry)
|
|
{
|
|
return entry.getSourceId();
|
|
}
|
|
|
|
public void process(NodeDescription group) throws Throwable
|
|
{
|
|
PropertyMap groupProperties = group.getProperties();
|
|
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
|
|
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
|
|
Set<String> groupZones = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAuthorityZones(groupName);
|
|
|
|
if (groupZones == null)
|
|
{
|
|
// The group did not exist at all
|
|
updateGroup(group, false);
|
|
}
|
|
else
|
|
{
|
|
// Check whether the group is in any of the authentication chain zones
|
|
Set<String> intersection = new TreeSet<String>(groupZones);
|
|
intersection.retainAll(allZoneIds);
|
|
// Check whether the group is in any of the higher priority authentication chain zones
|
|
Set<String> visited = new TreeSet<String>(intersection);
|
|
visited.retainAll(visitedZoneIds);
|
|
|
|
if (groupZones.contains(zoneId))
|
|
{
|
|
// The group already existed in this zone: update the group
|
|
updateGroup(group, true);
|
|
}
|
|
else if (!visited.isEmpty())
|
|
{
|
|
// A group that exists in a different zone with higher precedence
|
|
return;
|
|
}
|
|
else if (!allowDeletions || intersection.isEmpty())
|
|
{
|
|
// Deletions are disallowed or the group exists, but not in a zone that's in the authentication
|
|
// chain. May be due to upgrade or zone changes. Let's re-zone them
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Updating group '" + groupShortName
|
|
+ "'. This group will in future be assumed to originate from user registry '"
|
|
+ zone + "'.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(groupName,
|
|
groupZones);
|
|
ChainingUserRegistrySynchronizer.this.authorityService.addAuthorityToZones(groupName, zoneSet);
|
|
|
|
// The group now exists in this zone: update the group
|
|
updateGroup(group, true);
|
|
}
|
|
else
|
|
{
|
|
// The group existed, but in a zone with lower precedence
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Recreating occluded group '"
|
|
+ groupShortName
|
|
+ "'. This group was previously created through synchronization with a lower priority user registry.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.deleteAuthority(groupName);
|
|
|
|
// create the group
|
|
updateGroup(group, false);
|
|
}
|
|
}
|
|
|
|
synchronized (this)
|
|
{
|
|
// Maintain the last modified date
|
|
Date groupLastModified = group.getLastModified();
|
|
if (groupLastModified != null)
|
|
{
|
|
this.latestTime = Math.max(this.latestTime, groupLastModified.getTime());
|
|
}
|
|
}
|
|
}
|
|
|
|
// Recursively walks and caches the authorities relating to and from this group so that we can later detect potential cycles
|
|
private Set<String> getContainedAuthorities(String groupName)
|
|
{
|
|
// Return the cached children if it is processed
|
|
Set<String> children = this.finalGroupChildAssocs.get(groupName);
|
|
if (children != null)
|
|
{
|
|
return children;
|
|
}
|
|
|
|
// First, recurse to the parent most authorities
|
|
for (String parent : ChainingUserRegistrySynchronizer.this.authorityService.getContainingAuthorities(
|
|
null, groupName, true))
|
|
{
|
|
getContainedAuthorities(parent);
|
|
}
|
|
|
|
// Now descend on unprocessed parents.
|
|
return cacheContainedAuthorities(groupName);
|
|
}
|
|
|
|
private Set<String> cacheContainedAuthorities(String groupName)
|
|
{
|
|
// Return the cached children if it is processed
|
|
Set<String> children = this.finalGroupChildAssocs.get(groupName);
|
|
if (children != null)
|
|
{
|
|
return children;
|
|
}
|
|
|
|
// Descend on unprocessed parents.
|
|
children = ChainingUserRegistrySynchronizer.this.authorityService.getContainedAuthorities(null,
|
|
groupName, true);
|
|
this.finalGroupChildAssocs.put(groupName, children);
|
|
|
|
for (String child : children)
|
|
{
|
|
if (AuthorityType.getAuthorityType(child) != AuthorityType.USER)
|
|
{
|
|
cacheContainedAuthorities(child);
|
|
}
|
|
}
|
|
return children;
|
|
}
|
|
|
|
private synchronized void updateGroup(NodeDescription group, boolean existed)
|
|
{
|
|
PropertyMap groupProperties = group.getProperties();
|
|
String groupName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_NAME);
|
|
String groupDisplayName = (String) groupProperties.get(ContentModel.PROP_AUTHORITY_DISPLAY_NAME);
|
|
if (groupDisplayName == null)
|
|
{
|
|
groupDisplayName = ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName);
|
|
}
|
|
|
|
// Divide the child associations into person and group associations, dealing with case sensitivity
|
|
Set<String> newChildPersons = newPersonSet();
|
|
Set<String> newChildGroups = new TreeSet<String>();
|
|
|
|
for (String child : group.getChildAssociations())
|
|
{
|
|
if (AuthorityType.getAuthorityType(child) == AuthorityType.USER)
|
|
{
|
|
newChildPersons.add(child);
|
|
}
|
|
else
|
|
{
|
|
newChildGroups.add(child);
|
|
}
|
|
}
|
|
|
|
// Account for differences if already existing
|
|
if (existed)
|
|
{
|
|
// Update the display name now
|
|
ChainingUserRegistrySynchronizer.this.authorityService.setAuthorityDisplayName(groupName,
|
|
groupDisplayName);
|
|
|
|
// Work out the association differences
|
|
for (String child : new TreeSet<String>(getContainedAuthorities(groupName)))
|
|
{
|
|
if (AuthorityType.getAuthorityType(child) == AuthorityType.USER)
|
|
{
|
|
if (!newChildPersons.remove(child))
|
|
{
|
|
recordParentAssociationDeletion(child, groupName);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (!newChildGroups.remove(child))
|
|
{
|
|
recordParentAssociationDeletion(child, groupName);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
// Mark as created if new
|
|
else
|
|
{
|
|
// Make sure each group to be created features in the association deletion map (as these are handled in the same phase)
|
|
recordParentAssociationDeletion(groupName, null);
|
|
this.groupsToCreate.put(groupName, groupDisplayName);
|
|
}
|
|
|
|
// Create new associations
|
|
for (String child : newChildPersons)
|
|
{
|
|
// Make sure each person with association changes features as a key in the deletion map
|
|
recordParentAssociationDeletion(child, null);
|
|
recordParentAssociationCreation(child, groupName);
|
|
}
|
|
for (String child : newChildGroups)
|
|
{
|
|
// Make sure each group with association changes features as a key in the deletion map
|
|
recordParentAssociationDeletion(child, null);
|
|
recordParentAssociationCreation(child, groupName);
|
|
}
|
|
}
|
|
|
|
private void recordParentAssociationDeletion(String child, String parent)
|
|
{
|
|
Map<String, Set<String>> parentAssocs;
|
|
if (AuthorityType.getAuthorityType(child) == AuthorityType.USER)
|
|
{
|
|
parentAssocs = this.personParentAssocsToDelete;
|
|
}
|
|
else
|
|
{
|
|
// Reflect the change in the map of final group associations (for cycle detection later)
|
|
parentAssocs = this.groupParentAssocsToDelete;
|
|
if (parent != null)
|
|
{
|
|
Set<String> children = this.finalGroupChildAssocs.get(parent);
|
|
children.remove(child);
|
|
}
|
|
}
|
|
Set<String> parents = parentAssocs.get(child);
|
|
if (parents == null)
|
|
{
|
|
parents = new TreeSet<String>();
|
|
parentAssocs.put(child, parents);
|
|
}
|
|
if (parent != null)
|
|
{
|
|
parents.add(parent);
|
|
}
|
|
}
|
|
|
|
private void recordParentAssociationCreation(String child, String parent)
|
|
{
|
|
Map<String, Set<String>> parentAssocs = AuthorityType.getAuthorityType(child) == AuthorityType.USER ? this.personParentAssocsToCreate : this.groupParentAssocsToCreate;
|
|
Set<String> parents = parentAssocs.get(child);
|
|
if (parents == null)
|
|
{
|
|
parents = new TreeSet<String>();
|
|
parentAssocs.put(child, parents);
|
|
}
|
|
if (parent != null)
|
|
{
|
|
parents.add(parent);
|
|
}
|
|
}
|
|
|
|
private void validateGroupParentAssocsToCreate()
|
|
{
|
|
Iterator<Map.Entry<String, Set<String>>> i = this.groupParentAssocsToCreate.entrySet().iterator();
|
|
while (i.hasNext())
|
|
{
|
|
Map.Entry<String, Set<String>> entry = i.next();
|
|
String group = entry.getKey();
|
|
Set<String> parents = entry.getValue();
|
|
Deque<String> visited = new LinkedList<String>();
|
|
Iterator<String> j = parents.iterator();
|
|
while (j.hasNext())
|
|
{
|
|
String parent = j.next();
|
|
visited.add(parent);
|
|
if (validateAuthorityChildren(visited, group))
|
|
{
|
|
// The association validated - commit it
|
|
Set<String> children = finalGroupChildAssocs.get(parent);
|
|
if (children == null)
|
|
{
|
|
children = new TreeSet<String>();
|
|
finalGroupChildAssocs.put(parent, children);
|
|
}
|
|
children.add(group);
|
|
}
|
|
else
|
|
{
|
|
// The association did not validate - prune it out
|
|
if (logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Not adding group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(group)
|
|
+ "' to group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(parent)
|
|
+ "' as this creates a cyclic relationship");
|
|
}
|
|
j.remove();
|
|
}
|
|
visited.removeLast();
|
|
}
|
|
if (parents.isEmpty())
|
|
{
|
|
i.remove();
|
|
}
|
|
}
|
|
|
|
// Sort the group associations in parent-first order (root groups first) to minimize reindexing overhead
|
|
Map<String, Set<String>> sortedGroupAssociations = new LinkedHashMap<String, Set<String>>(
|
|
this.groupParentAssocsToCreate.size() * 2);
|
|
Deque<String> visited = new LinkedList<String>();
|
|
for (String authority : this.groupParentAssocsToCreate.keySet())
|
|
{
|
|
visitGroupParentAssocs(visited, authority, this.groupParentAssocsToCreate, sortedGroupAssociations);
|
|
}
|
|
|
|
this.groupParentAssocsToCreate = sortedGroupAssociations;
|
|
}
|
|
|
|
private boolean validateAuthorityChildren(Deque<String> visited, String authority)
|
|
{
|
|
if (AuthorityType.getAuthorityType(authority) == AuthorityType.USER)
|
|
{
|
|
return true;
|
|
}
|
|
if (visited.contains(authority))
|
|
{
|
|
return false;
|
|
}
|
|
visited.add(authority);
|
|
try
|
|
{
|
|
Set<String> children = this.finalGroupChildAssocs.get(authority);
|
|
if (children != null)
|
|
{
|
|
for (String child : children)
|
|
{
|
|
if (!validateAuthorityChildren(visited, child))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
finally
|
|
{
|
|
visited.removeLast();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Visits the given authority by recursively visiting its parents in associationsOld and then adding the
|
|
* authority to associationsNew. Used to sort associationsOld into 'parent-first' order to minimize
|
|
* reindexing overhead.
|
|
*
|
|
* @param visited
|
|
* The ancestors that form the path to the authority to visit. Allows detection of cyclic child
|
|
* associations.
|
|
* @param authority
|
|
* the authority to visit
|
|
* @param associationsOld
|
|
* the association map to sort
|
|
* @param associationsNew
|
|
* the association map to add to in parent-first order
|
|
*/
|
|
private boolean visitGroupParentAssocs(Deque<String> visited, String authority,
|
|
Map<String, Set<String>> associationsOld, Map<String, Set<String>> associationsNew)
|
|
{
|
|
if (visited.contains(authority))
|
|
{
|
|
// Prevent cyclic paths (Shouldn't happen as we've already validated)
|
|
return false;
|
|
}
|
|
visited.add(authority);
|
|
try
|
|
{
|
|
if (!associationsNew.containsKey(authority))
|
|
{
|
|
Set<String> oldParents = associationsOld.get(authority);
|
|
if (oldParents != null)
|
|
{
|
|
Set<String> newParents = new TreeSet<String>();
|
|
|
|
for (String parent: oldParents)
|
|
{
|
|
if (visitGroupParentAssocs(visited, parent, associationsOld, associationsNew))
|
|
{
|
|
newParents.add(parent);
|
|
}
|
|
}
|
|
associationsNew.put(authority, newParents);
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
finally
|
|
{
|
|
visited.removeLast();
|
|
}
|
|
}
|
|
|
|
private Set<String> newPersonSet()
|
|
{
|
|
return ChainingUserRegistrySynchronizer.this.personService.getUserNamesAreCaseSensitive() ? new TreeSet<String>()
|
|
: new TreeSet<String>(String.CASE_INSENSITIVE_ORDER);
|
|
}
|
|
|
|
private Map<String, Set<String>> newPersonMap()
|
|
{
|
|
return ChainingUserRegistrySynchronizer.this.personService.getUserNamesAreCaseSensitive() ? new TreeMap<String, Set<String>>()
|
|
: new TreeMap<String, Set<String>>(String.CASE_INSENSITIVE_ORDER);
|
|
}
|
|
|
|
private void logRetainParentAssociations(Map<String, Set<String>> parentAssocs, Set<String> toRetain)
|
|
{
|
|
Iterator<Map.Entry<String, Set<String>>> i = parentAssocs.entrySet().iterator();
|
|
StringBuilder groupList = null;
|
|
while (i.hasNext())
|
|
{
|
|
Map.Entry<String, Set<String>> entry = i.next();
|
|
String child = entry.getKey();
|
|
if (!toRetain.contains(child))
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
if (groupList == null)
|
|
{
|
|
groupList = new StringBuilder(1024);
|
|
}
|
|
else
|
|
{
|
|
groupList.setLength(0);
|
|
}
|
|
for (String parent : entry.getValue())
|
|
{
|
|
if (groupList.length() > 0)
|
|
{
|
|
groupList.append(", ");
|
|
}
|
|
groupList.append('\'').append(
|
|
ChainingUserRegistrySynchronizer.this.authorityService.getShortName(parent))
|
|
.append('\'');
|
|
|
|
}
|
|
ChainingUserRegistrySynchronizer.logger.debug("Ignoring non-existent member '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(child)
|
|
+ "' in groups {" + groupList.toString() + "}");
|
|
}
|
|
i.remove();
|
|
}
|
|
}
|
|
}
|
|
|
|
public void processGroups(UserRegistry userRegistry, boolean isFullSync, boolean splitTxns)
|
|
{
|
|
// If we got back some groups, we have to cross reference them with the set of known authorities
|
|
if (isFullSync || !this.groupParentAssocsToDelete.isEmpty()
|
|
|| !this.groupParentAssocsToDelete.isEmpty())
|
|
{
|
|
final Set<String> allZonePersons = newPersonSet();
|
|
final Set<String> allZoneGroups = new TreeSet<String>();
|
|
|
|
// Add in current set of known authorities
|
|
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper()
|
|
.doInTransaction(new RetryingTransactionCallback<Void>()
|
|
{
|
|
public Void execute() throws Throwable
|
|
{
|
|
allZonePersons.addAll(ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAllAuthoritiesInZone(zoneId, AuthorityType.USER));
|
|
allZoneGroups.addAll(ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAllAuthoritiesInZone(zoneId, AuthorityType.GROUP));
|
|
return null;
|
|
}
|
|
}, true, splitTxns);
|
|
|
|
allZoneGroups.addAll(this.groupsToCreate.keySet());
|
|
|
|
// Prune our set of authorities according to deletions
|
|
if (isFullSync)
|
|
{
|
|
final Set<String> personDeletionCandidates = newPersonSet();
|
|
personDeletionCandidates.addAll(allZonePersons);
|
|
|
|
final Set<String> groupDeletionCandidates = new TreeSet<String>();
|
|
groupDeletionCandidates.addAll(allZoneGroups);
|
|
|
|
this.deletionCandidates = new TreeSet<String>();
|
|
|
|
for (String person : userRegistry.getPersonNames())
|
|
{
|
|
personDeletionCandidates.remove(person);
|
|
}
|
|
|
|
for (String group : userRegistry.getGroupNames())
|
|
{
|
|
groupDeletionCandidates.remove(group);
|
|
}
|
|
|
|
this.deletionCandidates = new TreeSet<String>();
|
|
this.deletionCandidates.addAll(personDeletionCandidates);
|
|
this.deletionCandidates.addAll(groupDeletionCandidates);
|
|
if (allowDeletions)
|
|
{
|
|
allZonePersons.removeAll(personDeletionCandidates);
|
|
allZoneGroups.removeAll(groupDeletionCandidates);
|
|
}
|
|
else
|
|
{
|
|
if (!personDeletionCandidates.isEmpty())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("The following missing users are not being deleted as allowDeletions == false");
|
|
for (String person : personDeletionCandidates)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn(" " + person);
|
|
}
|
|
}
|
|
if (!groupDeletionCandidates.isEmpty())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("The following missing groups are not being deleted as allowDeletions == false");
|
|
for (String group : groupDeletionCandidates)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn(" " + group);
|
|
}
|
|
}
|
|
|
|
// Complete association deletion information by scanning deleted groups
|
|
BatchProcessor<String> groupScanner = new BatchProcessor<String>(zone
|
|
+ " Missing Authority Scanning",
|
|
ChainingUserRegistrySynchronizer.this.transactionService
|
|
.getRetryingTransactionHelper(), this.deletionCandidates,
|
|
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
|
|
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger,
|
|
ChainingUserRegistrySynchronizer.this.loggingInterval);
|
|
groupScanner.process(new BaseBatchProcessWorker<String>()
|
|
{
|
|
|
|
@Override
|
|
public String getIdentifier(String entry)
|
|
{
|
|
return entry;
|
|
}
|
|
|
|
@Override
|
|
public void process(String authority) throws Throwable
|
|
{
|
|
// Disassociate it from this zone, allowing it to be reclaimed by something further down the chain
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(authority,
|
|
Collections.singleton(zoneId));
|
|
|
|
// For groups, remove all members
|
|
if (AuthorityType.getAuthorityType(authority) != AuthorityType.USER)
|
|
{
|
|
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(authority);
|
|
String groupDisplayName = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAuthorityDisplayName(authority);
|
|
NodeDescription dummy = new NodeDescription(groupShortName + " (Deleted)");
|
|
PropertyMap dummyProperties = dummy.getProperties();
|
|
dummyProperties.put(ContentModel.PROP_AUTHORITY_NAME, authority);
|
|
if (groupDisplayName != null)
|
|
{
|
|
dummyProperties.put(ContentModel.PROP_AUTHORITY_DISPLAY_NAME, groupDisplayName);
|
|
}
|
|
updateGroup(dummy, true);
|
|
}
|
|
}
|
|
}, splitTxns);
|
|
|
|
}
|
|
}
|
|
|
|
// Prune the group associations now that we have complete information
|
|
this.groupParentAssocsToCreate.keySet().retainAll(allZoneGroups);
|
|
logRetainParentAssociations(this.groupParentAssocsToCreate, allZoneGroups);
|
|
this.finalGroupChildAssocs.keySet().retainAll(allZoneGroups);
|
|
|
|
// Pruning person associations will have to wait until we have passed over all persons and built up
|
|
// this set
|
|
this.allZonePersons = allZonePersons;
|
|
|
|
if (!this.groupParentAssocsToDelete.isEmpty())
|
|
{
|
|
// Create/update the groups and delete parent associations to be deleted
|
|
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
|
|
zone + " Group Creation and Association Deletion",
|
|
ChainingUserRegistrySynchronizer.this.transactionService.getRetryingTransactionHelper(),
|
|
this.groupParentAssocsToDelete.entrySet(),
|
|
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
|
|
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger,
|
|
ChainingUserRegistrySynchronizer.this.loggingInterval);
|
|
groupCreator.process(new BaseBatchProcessWorker<Map.Entry<String, Set<String>>>()
|
|
{
|
|
public String getIdentifier(Map.Entry<String, Set<String>> entry)
|
|
{
|
|
return entry.getKey() + " " + entry.getValue();
|
|
}
|
|
|
|
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
|
|
{
|
|
String child = entry.getKey();
|
|
|
|
String groupDisplayName = Analyzer.this.groupsToCreate.get(child);
|
|
if (groupDisplayName != null)
|
|
{
|
|
String groupShortName = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(child);
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Creating group '"
|
|
+ groupShortName + "'");
|
|
}
|
|
// create the group
|
|
ChainingUserRegistrySynchronizer.this.authorityService.createAuthority(
|
|
AuthorityType.getAuthorityType(child), groupShortName, groupDisplayName,
|
|
zoneSet);
|
|
}
|
|
else
|
|
{
|
|
// Maintain association deletions now. The creations will have to be done later once
|
|
// we have performed all the deletions in order to avoid creating cycles
|
|
maintainAssociationDeletions(child);
|
|
}
|
|
}
|
|
}, splitTxns);
|
|
}
|
|
}
|
|
}
|
|
|
|
public void finalizeAssociations(UserRegistry userRegistry, boolean splitTxns)
|
|
{
|
|
// First validate the group associations to be created for potential cycles. Remove any offending association
|
|
validateGroupParentAssocsToCreate();
|
|
|
|
// Now go ahead and create the group associations
|
|
if (!this.groupParentAssocsToCreate.isEmpty())
|
|
{
|
|
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
|
|
zone + " Group Association Creation", ChainingUserRegistrySynchronizer.this.transactionService
|
|
.getRetryingTransactionHelper(), this.groupParentAssocsToCreate.entrySet(),
|
|
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
|
|
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger,
|
|
ChainingUserRegistrySynchronizer.this.loggingInterval);
|
|
groupCreator.process(new BaseBatchProcessWorker<Map.Entry<String, Set<String>>>()
|
|
{
|
|
public String getIdentifier(Map.Entry<String, Set<String>> entry)
|
|
{
|
|
return entry.getKey() + " " + entry.getValue();
|
|
}
|
|
|
|
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
|
|
{
|
|
maintainAssociationCreations(entry.getKey());
|
|
}
|
|
}, splitTxns);
|
|
}
|
|
|
|
// Remove all the associations we have already dealt with
|
|
this.personParentAssocsToDelete.keySet().removeAll(this.personsProcessed);
|
|
|
|
// Filter out associations to authorities that simply can't exist (and log if debugging is enabled)
|
|
logRetainParentAssociations(this.personParentAssocsToCreate, this.allZonePersons);
|
|
|
|
// Update associations to persons not updated themselves
|
|
if (!this.personParentAssocsToDelete.isEmpty())
|
|
{
|
|
BatchProcessor<Map.Entry<String, Set<String>>> groupCreator = new BatchProcessor<Map.Entry<String, Set<String>>>(
|
|
zone + " Person Association", ChainingUserRegistrySynchronizer.this.transactionService
|
|
.getRetryingTransactionHelper(), this.personParentAssocsToDelete.entrySet(),
|
|
ChainingUserRegistrySynchronizer.this.workerThreads, 20,
|
|
ChainingUserRegistrySynchronizer.this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger,
|
|
ChainingUserRegistrySynchronizer.this.loggingInterval);
|
|
groupCreator.process(new BaseBatchProcessWorker<Map.Entry<String, Set<String>>>()
|
|
{
|
|
public String getIdentifier(Map.Entry<String, Set<String>> entry)
|
|
{
|
|
return entry.getKey() + " " + entry.getValue();
|
|
}
|
|
|
|
public void process(Map.Entry<String, Set<String>> entry) throws Throwable
|
|
{
|
|
maintainAssociationDeletions(entry.getKey());
|
|
maintainAssociationCreations(entry.getKey());
|
|
}
|
|
}, splitTxns);
|
|
}
|
|
}
|
|
|
|
private void maintainAssociationDeletions(String authorityName)
|
|
{
|
|
boolean isPerson = AuthorityType.getAuthorityType(authorityName) == AuthorityType.USER;
|
|
Set<String> parentsToDelete = isPerson ? this.personParentAssocsToDelete.get(authorityName)
|
|
: this.groupParentAssocsToDelete.get(authorityName);
|
|
if (parentsToDelete != null && !parentsToDelete.isEmpty())
|
|
{
|
|
for (String parent : parentsToDelete)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.debug("Removing '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(authorityName)
|
|
+ "' from group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(parent) + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthority(parent, authorityName);
|
|
}
|
|
}
|
|
|
|
|
|
}
|
|
|
|
private void maintainAssociationCreations(String authorityName)
|
|
{
|
|
boolean isPerson = AuthorityType.getAuthorityType(authorityName) == AuthorityType.USER;
|
|
Set<String> parents = isPerson ? this.personParentAssocsToCreate.get(authorityName)
|
|
: this.groupParentAssocsToCreate.get(authorityName);
|
|
if (parents != null && !parents.isEmpty())
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
for (String groupName : parents)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Adding '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getShortName(authorityName) + "' to group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(groupName)
|
|
+ "'");
|
|
}
|
|
}
|
|
try
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.authorityService.addAuthority(parents, authorityName);
|
|
}
|
|
catch (UnknownAuthorityException e)
|
|
{
|
|
// Let's force a transaction retry if a parent doesn't exist. It may be because we are
|
|
// waiting for another worker thread to create it
|
|
throw new ConcurrencyFailureException("Forcing batch retry for unknown authority", e);
|
|
}
|
|
catch (InvalidNodeRefException e)
|
|
{
|
|
// Another thread may have written the node, but it is not visible to this transaction
|
|
// See: ALF-5471: 'authorityMigration' patch can report 'Node does not exist'
|
|
throw new ConcurrencyFailureException("Forcing batch retry for invalid node", e);
|
|
}
|
|
}
|
|
// Remember that this person's associations have been maintained
|
|
if (isPerson)
|
|
{
|
|
synchronized (this)
|
|
{
|
|
this.personsProcessed.add(authorityName);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
final Analyzer groupAnalyzer = new Analyzer(lastModifiedMillis);
|
|
int groupProcessedCount = groupProcessor.process(groupAnalyzer, splitTxns);
|
|
|
|
groupAnalyzer.processGroups(userRegistry, isFullSync, splitTxns);
|
|
|
|
// Process persons and their parent associations
|
|
|
|
lastModifiedMillis = forceUpdate ? -1 : getMostRecentUpdateTime(
|
|
ChainingUserRegistrySynchronizer.PERSON_LAST_MODIFIED_ATTRIBUTE, zoneId, splitTxns);
|
|
lastModified = lastModifiedMillis == -1 ? null : new Date(lastModifiedMillis);
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
if (lastModified == null)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving all users from user registry '" + zone + "'");
|
|
}
|
|
else
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Retrieving users changed since "
|
|
+ DateFormat.getDateTimeInstance().format(lastModified) + " from user registry '" + zone + "'");
|
|
}
|
|
}
|
|
final BatchProcessor<NodeDescription> personProcessor = new BatchProcessor<NodeDescription>(zone
|
|
+ " User Creation and Association", this.transactionService.getRetryingTransactionHelper(),
|
|
userRegistry.getPersons(lastModified), this.workerThreads, 10, this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
|
|
class PersonWorker extends BaseBatchProcessWorker<NodeDescription>
|
|
{
|
|
private long latestTime;
|
|
|
|
public PersonWorker(final long latestTime)
|
|
{
|
|
this.latestTime = latestTime;
|
|
}
|
|
|
|
public long getLatestTime()
|
|
{
|
|
return this.latestTime;
|
|
}
|
|
|
|
public String getIdentifier(NodeDescription entry)
|
|
{
|
|
return entry.getSourceId();
|
|
}
|
|
|
|
public void process(NodeDescription person) throws Throwable
|
|
{
|
|
// Make a mutable copy of the person properties, since they get written back to by person service
|
|
HashMap<QName, Serializable> personProperties = new HashMap<QName, Serializable>(person.getProperties());
|
|
String personName = (String) personProperties.get(ContentModel.PROP_USERNAME);
|
|
Set<String> zones = ChainingUserRegistrySynchronizer.this.authorityService
|
|
.getAuthorityZones(personName);
|
|
if (zones == null)
|
|
{
|
|
// The person did not exist at all
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Creating user '" + personName + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.createPerson(personProperties, zoneSet);
|
|
}
|
|
else if (zones.contains(zoneId))
|
|
{
|
|
// The person already existed in this zone: update the person
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Updating user '" + personName + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.setPersonProperties(personName,
|
|
personProperties, false);
|
|
}
|
|
else
|
|
{
|
|
// Check whether the user is in any of the authentication chain zones
|
|
Set<String> intersection = new TreeSet<String>(zones);
|
|
intersection.retainAll(allZoneIds);
|
|
// Check whether the user is in any of the higher priority authentication chain zones
|
|
Set<String> visited = new TreeSet<String>(intersection);
|
|
visited.retainAll(visitedZoneIds);
|
|
if (visited.size() > 0)
|
|
{
|
|
// A person that exists in a different zone with higher precedence - ignore
|
|
return;
|
|
}
|
|
|
|
else if (!allowDeletions || intersection.isEmpty())
|
|
{
|
|
// The person exists, but in a different zone. Either deletions are disallowed or the zone is
|
|
// not in the authentication chain. May be due to upgrade or zone changes. Let's re-zone them
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Updating user '" + personName
|
|
+ "'. This user will in future be assumed to originate from user registry '" + zone
|
|
+ "'.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.removeAuthorityFromZones(personName,
|
|
zones);
|
|
ChainingUserRegistrySynchronizer.this.authorityService.addAuthorityToZones(personName, zoneSet);
|
|
ChainingUserRegistrySynchronizer.this.personService.setPersonProperties(personName,
|
|
personProperties, false);
|
|
}
|
|
else
|
|
{
|
|
// The person existed, but in a zone with lower precedence
|
|
if (ChainingUserRegistrySynchronizer.logger.isWarnEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger
|
|
.warn("Recreating occluded user '"
|
|
+ personName
|
|
+ "'. This user was previously created through synchronization with a lower priority user registry.");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.deletePerson(personName);
|
|
ChainingUserRegistrySynchronizer.this.personService.createPerson(personProperties, zoneSet);
|
|
}
|
|
}
|
|
|
|
// Maintain association deletions and creations in one shot (safe to do this with persons as we can't
|
|
// create cycles)
|
|
groupAnalyzer.maintainAssociationDeletions(personName);
|
|
groupAnalyzer.maintainAssociationCreations(personName);
|
|
|
|
synchronized (this)
|
|
{
|
|
// Maintain the last modified date
|
|
Date personLastModified = person.getLastModified();
|
|
if (personLastModified != null)
|
|
{
|
|
this.latestTime = Math.max(this.latestTime, personLastModified.getTime());
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
PersonWorker persons = new PersonWorker(lastModifiedMillis);
|
|
int personProcessedCount = personProcessor.process(persons, splitTxns);
|
|
|
|
// Process those associations to persons who themselves have not been updated
|
|
groupAnalyzer.finalizeAssociations(userRegistry, splitTxns);
|
|
|
|
// Only now that the whole tree has been processed is it safe to persist the last modified dates
|
|
long latestTime = groupAnalyzer.getLatestTime();
|
|
if (latestTime != -1)
|
|
{
|
|
setMostRecentUpdateTime(ChainingUserRegistrySynchronizer.GROUP_LAST_MODIFIED_ATTRIBUTE, zoneId, latestTime,
|
|
splitTxns);
|
|
}
|
|
latestTime = persons.getLatestTime();
|
|
if (latestTime != -1)
|
|
{
|
|
setMostRecentUpdateTime(ChainingUserRegistrySynchronizer.PERSON_LAST_MODIFIED_ATTRIBUTE, zoneId,
|
|
latestTime, splitTxns);
|
|
}
|
|
|
|
// Delete authorities if we have complete information for the zone
|
|
Set<String> deletionCandidates = groupAnalyzer.getDeletionCandidates();
|
|
if (isFullSync && allowDeletions && !deletionCandidates.isEmpty())
|
|
{
|
|
BatchProcessor<String> authorityDeletionProcessor = new BatchProcessor<String>(
|
|
zone + " Authority Deletion", this.transactionService.getRetryingTransactionHelper(),
|
|
deletionCandidates, this.workerThreads, 10, this.applicationEventPublisher,
|
|
ChainingUserRegistrySynchronizer.logger, this.loggingInterval);
|
|
class AuthorityDeleter extends BaseBatchProcessWorker<String>
|
|
{
|
|
private int personProcessedCount;
|
|
private int groupProcessedCount;
|
|
|
|
public int getPersonProcessedCount()
|
|
{
|
|
return this.personProcessedCount;
|
|
}
|
|
|
|
public int getGroupProcessedCount()
|
|
{
|
|
return this.groupProcessedCount;
|
|
}
|
|
|
|
public String getIdentifier(String entry)
|
|
{
|
|
return entry;
|
|
}
|
|
|
|
public void process(String authority) throws Throwable
|
|
{
|
|
if (AuthorityType.getAuthorityType(authority) == AuthorityType.USER)
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Deleting user '" + authority + "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.personService.deletePerson(authority);
|
|
synchronized (this)
|
|
{
|
|
this.personProcessedCount++;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (ChainingUserRegistrySynchronizer.logger.isDebugEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.debug("Deleting group '"
|
|
+ ChainingUserRegistrySynchronizer.this.authorityService.getShortName(authority)
|
|
+ "'");
|
|
}
|
|
ChainingUserRegistrySynchronizer.this.authorityService.deleteAuthority(authority);
|
|
synchronized (this)
|
|
{
|
|
this.groupProcessedCount++;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
AuthorityDeleter authorityDeleter = new AuthorityDeleter();
|
|
authorityDeletionProcessor.process(authorityDeleter, splitTxns);
|
|
groupProcessedCount += authorityDeleter.getGroupProcessedCount();
|
|
personProcessedCount += authorityDeleter.getPersonProcessedCount();
|
|
}
|
|
|
|
// Remember we have visited this zone
|
|
visitedZoneIds.add(zoneId);
|
|
|
|
if (ChainingUserRegistrySynchronizer.logger.isInfoEnabled())
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.info("Finished synchronizing users and groups with user registry '"
|
|
+ zone + "'");
|
|
ChainingUserRegistrySynchronizer.logger.info(personProcessedCount + " user(s) and " + groupProcessedCount
|
|
+ " group(s) processed");
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Gets the persisted most recent update time for a label and zone.
|
|
*
|
|
* @param label
|
|
* the label
|
|
* @param zoneId
|
|
* the zone id
|
|
* @return the most recent update time in milliseconds
|
|
*/
|
|
private long getMostRecentUpdateTime(final String label, final String zoneId, boolean splitTxns)
|
|
{
|
|
return this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionCallback<Long>()
|
|
{
|
|
public Long execute() throws Throwable
|
|
{
|
|
Long updateTime = (Long) ChainingUserRegistrySynchronizer.this.attributeService.getAttribute(
|
|
ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH, label, zoneId);
|
|
return updateTime == null ? -1 : updateTime;
|
|
}
|
|
}, true, splitTxns);
|
|
}
|
|
|
|
/**
|
|
* Persists the most recent update time for a label and zone.
|
|
*
|
|
* @param label
|
|
* the label
|
|
* @param zoneId
|
|
* the zone id
|
|
* @param lastModifiedMillis
|
|
* the update time in milliseconds
|
|
* @param splitTxns
|
|
* Can the modifications to Alfresco be split across multiple transactions for maximum performance? If
|
|
* <code>true</code>, the attribute is persisted in a new transaction for increased performance and
|
|
* reliability.
|
|
*/
|
|
private void setMostRecentUpdateTime(final String label, final String zoneId, final long lastModifiedMillis,
|
|
boolean splitTxns)
|
|
{
|
|
this.transactionService.getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionHelper.RetryingTransactionCallback<Object>()
|
|
{
|
|
public Object execute() throws Throwable
|
|
{
|
|
ChainingUserRegistrySynchronizer.this.attributeService.setAttribute(Long
|
|
.valueOf(lastModifiedMillis), ChainingUserRegistrySynchronizer.ROOT_ATTRIBUTE_PATH,
|
|
label, zoneId);
|
|
return null;
|
|
}
|
|
}, false, splitTxns);
|
|
}
|
|
|
|
/**
|
|
* Gets the default set of zones to set on a person or group belonging to the user registry with the given zone ID.
|
|
* We add the default zone as well as the zone corresponding to the user registry so that the users and groups are
|
|
* visible in the UI.
|
|
*
|
|
* @param zoneId
|
|
* the zone id
|
|
* @return the zone set
|
|
*/
|
|
private Set<String> getZones(String zoneId)
|
|
{
|
|
Set<String> zones = new HashSet<String>(5);
|
|
zones.add(AuthorityService.ZONE_APP_DEFAULT);
|
|
zones.add(zoneId);
|
|
return zones;
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @seeorg.springframework.extensions.surf.util.AbstractLifecycleBean#onBootstrap(org.springframework.context.
|
|
* ApplicationEvent)
|
|
*/
|
|
@Override
|
|
protected void onBootstrap(ApplicationEvent event)
|
|
{
|
|
// Do an initial differential sync on startup, using transaction splitting. This ensures that on the very
|
|
// first startup, we don't have to wait for a very long login operation to trigger the first sync!
|
|
if (this.syncOnStartup)
|
|
{
|
|
AuthenticationUtil.runAs(new RunAsWork<Object>()
|
|
{
|
|
public Object doWork() throws Exception
|
|
{
|
|
try
|
|
{
|
|
synchronize(false, false, true);
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
ChainingUserRegistrySynchronizer.logger.warn("Failed initial synchronize with user registries",
|
|
e);
|
|
}
|
|
return null;
|
|
}
|
|
}, AuthenticationUtil.getSystemUserName());
|
|
}
|
|
}
|
|
|
|
/*
|
|
* (non-Javadoc)
|
|
* @seeorg.springframework.extensions.surf.util.AbstractLifecycleBean#onShutdown(org.springframework.context.
|
|
* ApplicationEvent)
|
|
*/
|
|
@Override
|
|
protected void onShutdown(ApplicationEvent event)
|
|
{
|
|
}
|
|
|
|
protected abstract class BaseBatchProcessWorker <T> implements BatchProcessWorker<T>
|
|
{
|
|
public final void beforeProcess() throws Throwable
|
|
{
|
|
// Disable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.disableRules();
|
|
// Authentication
|
|
AuthenticationUtil.setRunAsUser(AuthenticationUtil.getSystemUserName());
|
|
}
|
|
|
|
public final void afterProcess() throws Throwable
|
|
{
|
|
// Enable rules
|
|
ChainingUserRegistrySynchronizer.this.ruleService.enableRules();
|
|
// Clear authentication
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
}
|
|
}
|