openstack
/
keystone
Code Issues Proposed changes

Merge "Add a cache to check_revocation"

This commit is contained in:
Zuul 2024-01-26 17:37:01 +00:00 committed by Gerrit Code Review
parent 31ea45d241 6e58f1dbf8
commit 44a5474148
2 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
keystone/identity/core.py
View File

@ -1310,6 +1310,12 @@ class Manager(manager.Manager):
for user_id in user_ids: for user_id in user_ids:
self._persist_revocation_event_for_user(user_id) self._persist_revocation_event_for_user(user_id)
reason_s = (
'Invalidating the token cache because group %(group_id)s '
'has been deleted.' % {'group_id': group_id}
)
notifications.invalidate_token_cache_notification(reason_s)
# Invalidate user role assignments cache region, as it may be caching # Invalidate user role assignments cache region, as it may be caching
# role assignments expanded from the specified group to its users # role assignments expanded from the specified group to its users
assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate() assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
@ -1362,6 +1368,16 @@ class Manager(manager.Manager):
# Invalidate user role assignments cache region, as it may be caching # Invalidate user role assignments cache region, as it may be caching
# role assignments expanded from this group to this user # role assignments expanded from this group to this user
assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate() assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
reason = (
'Invalidating the token cache because user %(user_id)s was '
'removed from group %(group_id)s. Authorization will be '
'calculated and enforced accordingly the next time they '
'authenticate or validate a token.' % {
'user_id': user_id,
'group_id': group_id,
}
)
notifications.invalidate_token_cache_notification(reason)
notifications.Audit.removed_from(self._GROUP, group_id, self._USER, notifications.Audit.removed_from(self._GROUP, group_id, self._USER,
user_id, initiator) user_id, initiator)
@ -1474,6 +1490,13 @@ class Manager(manager.Manager):
notifications.Audit.updated(self._USER, user_id, initiator) notifications.Audit.updated(self._USER, user_id, initiator)
self._persist_revocation_event_for_user(user_id) self._persist_revocation_event_for_user(user_id)
reason_s = (
'Invalidating the token cache because user %(user_id)s changed '
'the password. Authorization will be calculated and enforced '
'accordingly the next time they authenticate or validate a '
'token.' % {'user_id': user_id}
)
notifications.invalidate_token_cache_notification(reason_s)
@MEMOIZE @MEMOIZE
def _shadow_nonlocal_user(self, user): def _shadow_nonlocal_user(self, user):

15
keystone/token/provider.py
View File

@ -129,12 +129,13 @@ class Manager(manager.Manager):
if CONF.token.cache_on_issue or CONF.token.caching: if CONF.token.cache_on_issue or CONF.token.caching:
TOKENS_REGION.invalidate() TOKENS_REGION.invalidate()
def check_revocation_v3(self, token): @MEMOIZE_TOKENS
token_values = self.revoke_api.model.build_token_values(token) def check_revocation_v3(self, token_values):
PROVIDERS.revoke_api.check_token(token_values) PROVIDERS.revoke_api.check_token(token_values)
def check_revocation(self, token): def check_revocation(self, token):
return self.check_revocation_v3(token) token_values = self.revoke_api.model.build_token_values(token)
return self.check_revocation_v3(token_values)
def validate_token(self, token_id, window_seconds=0, def validate_token(self, token_id, window_seconds=0,
access_rules_support=None): access_rules_support=None):
@ -298,7 +299,7 @@ class Manager(manager.Manager):
return token return token
def invalidate_individual_token_cache(self, token_id): def invalidate_individual_token_cache(self, token):
# NOTE(morganfainberg): invalidate takes the exact same arguments as # NOTE(morganfainberg): invalidate takes the exact same arguments as
# the normal method, this means we need to pass "self" in (which gets # the normal method, this means we need to pass "self" in (which gets
# stripped off). # stripped off).
@ -308,7 +309,9 @@ class Manager(manager.Manager):
# consulted before accepting a token as valid. For now we will # consulted before accepting a token as valid. For now we will
# do the explicit individual token invalidation. # do the explicit individual token invalidation.
self._validate_token.invalidate(self, token_id) self._validate_token.invalidate(self, token.id)
token_values = self.revoke_api.model.build_token_values(token)
self.check_revocation_v3.invalidate(self, token_values)
def revoke_token(self, token_id, revoke_chain=False): def revoke_token(self, token_id, revoke_chain=False):
token = self.validate_token(token_id) token = self.validate_token(token_id)
@ -328,4 +331,4 @@ class Manager(manager.Manager):
# invalidated? We maintain a cached revocation list, which should be # invalidated? We maintain a cached revocation list, which should be
# consulted before accepting a token as valid. For now we will # consulted before accepting a token as valid. For now we will
# do the explicit individual token invalidation. # do the explicit individual token invalidation.
self.invalidate_individual_token_cache(token_id) self.invalidate_individual_token_cache(token)