diff --git a/compose/compose.go b/compose/compose.go index 873a46c0318..5db7d0e6d94 100644 --- a/compose/compose.go +++ b/compose/compose.go @@ -213,7 +213,7 @@ func getAlpha(idx int) Service { if opts.EnterpriseMode { svc.Command += " --enterprise_features" if opts.AclSecret != "" { - svc.Command += " --acl_secret_file=/secret/hmac --acl_access_ttl 10s" + svc.Command += " --acl_secret_file=/secret/hmac --acl_access_ttl 3s --acl_cache_ttl 5s" svc.Volumes = append(svc.Volumes, Volume{ Type: "bind", Source: opts.AclSecret, diff --git a/dgraph/cmd/alpha/run.go b/dgraph/cmd/alpha/run.go index f8316c3c2e5..30c5b9589d6 100644 --- a/dgraph/cmd/alpha/run.go +++ b/dgraph/cmd/alpha/run.go @@ -137,6 +137,8 @@ they form a Raft group and provide synchronous replication. "Enterprise feature.") flag.Duration("acl_refresh_ttl", 30*24*time.Hour, "The TTL for the refresh jwt. "+ "Enterprise feature.") + flag.Duration("acl_cache_ttl", 30*time.Second, "The interval to refresh the acl cache. "+ + "Enterprise feature.") flag.Float64P("lru_mb", "l", -1, "Estimated memory the LRU cache can take. "+ "Actual usage by the process would be more than specified here.") @@ -459,6 +461,7 @@ func run() { opts.HmacSecret = hmacSecret opts.AccessJwtTtl = Alpha.Conf.GetDuration("acl_access_ttl") opts.RefreshJwtTtl = Alpha.Conf.GetDuration("acl_refresh_ttl") + opts.AclRefreshInterval = Alpha.Conf.GetDuration("acl_cache_ttl") glog.Info("HMAC secret loaded successfully.") } diff --git a/dgraph/docker-compose.yml b/dgraph/docker-compose.yml index 9fd0fa7538b..53e048135f4 100644 --- a/dgraph/docker-compose.yml +++ b/dgraph/docker-compose.yml @@ -78,7 +78,7 @@ services: labels: cluster: test service: alpha - command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s + command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s dg2: image: dgraph/dgraph:latest @@ -101,7 +101,7 @@ services: labels: cluster: test service: alpha - command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s + command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s dg3: image: dgraph/dgraph:latest @@ -124,7 +124,7 @@ services: labels: cluster: test service: alpha - command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s + command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s dg4: image: dgraph/dgraph:latest container_name: bank-dg4 @@ -146,7 +146,7 @@ services: labels: cluster: test service: alpha - command: /gobin/dgraph alpha --my=dg4:7184 --lru_mb=1024 --zero=zero1:5080 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s + command: /gobin/dgraph alpha --my=dg4:7184 --lru_mb=1024 --zero=zero1:5080 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s dg5: image: dgraph/dgraph:latest container_name: bank-dg5 @@ -168,7 +168,7 @@ services: labels: cluster: test service: alpha - command: /gobin/dgraph alpha --my=dg5:7185 --lru_mb=1024 --zero=zero1:5080 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s + command: /gobin/dgraph alpha --my=dg5:7185 --lru_mb=1024 --zero=zero1:5080 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s dg6: image: dgraph/dgraph:latest container_name: bank-dg6 @@ -190,4 +190,4 @@ services: labels: cluster: test service: alpha - command: /gobin/dgraph alpha --my=dg6:7186 --lru_mb=1024 --zero=zero1:5080 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s + command: /gobin/dgraph alpha --my=dg6:7186 --lru_mb=1024 --zero=zero1:5080 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s diff --git a/edgraph/access_ee.go b/edgraph/access_ee.go index 89f4656fd80..4d79f0811db 100644 --- a/edgraph/access_ee.go +++ b/edgraph/access_ee.go @@ -288,7 +288,7 @@ func RefreshAcls(closer *y.Closer) { return } - ticker := time.NewTicker(30 * time.Second) + ticker := time.NewTicker(Config.AclRefreshInterval) defer ticker.Stop() // retrieve the full data set of ACLs from the corresponding alpha server, and update the diff --git a/edgraph/config.go b/edgraph/config.go index 35d8b235491..2c4c9a3f8f5 100644 --- a/edgraph/config.go +++ b/edgraph/config.go @@ -40,9 +40,10 @@ type Options struct { AuthToken string AllottedMemory float64 - HmacSecret []byte - AccessJwtTtl time.Duration - RefreshJwtTtl time.Duration + HmacSecret []byte + AccessJwtTtl time.Duration + RefreshJwtTtl time.Duration + AclRefreshInterval time.Duration } var Config Options diff --git a/ee/acl/acl_curl_test.go b/ee/acl/acl_curl_test.go index 954fa5c0393..06ca926f308 100644 --- a/ee/acl/acl_curl_test.go +++ b/ee/acl/acl_curl_test.go @@ -75,8 +75,8 @@ func TestCurlAuthorization(t *testing.T) { // sleep long enough (longer than 10s, the access JWT TTL defined in the docker-compose.yml // in this directory) for the accessJwt to expire, in order to test auto login through refresh // JWT - glog.Infof("Sleeping for 12 seconds for accessJwt to expire") - time.Sleep(12 * time.Second) + glog.Infof("Sleeping for 4 seconds for accessJwt to expire") + time.Sleep(4 * time.Second) verifyCurlCmd(t, queryArgs(), &FailureConfig{ shouldFail: true, failMsg: "Token is expired", @@ -101,9 +101,9 @@ func TestCurlAuthorization(t *testing.T) { }) createGroupAndAcls(t, unusedGroup, false) - // wait for 35 seconds to ensure the new acl have reached all acl caches - glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed") - time.Sleep(35 * time.Second) + // wait for 6 seconds to ensure the new acl have reached all acl caches + glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed") + time.Sleep(6 * time.Second) verifyCurlCmd(t, queryArgs(), &FailureConfig{ shouldFail: true, failMsg: "Token is expired", @@ -130,8 +130,8 @@ func TestCurlAuthorization(t *testing.T) { }) createGroupAndAcls(t, devGroup, true) - glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed") - time.Sleep(35 * time.Second) + glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed") + time.Sleep(6 * time.Second) // refresh the jwts again accessJwt, refreshJwt, err = z.HttpLogin(&z.LoginParams{ Endpoint: loginEndpoint, diff --git a/ee/acl/acl_test.go b/ee/acl/acl_test.go index d0913c604b4..b9ee1ed408a 100644 --- a/ee/acl/acl_test.go +++ b/ee/acl/acl_test.go @@ -130,9 +130,9 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) { mutatePredicateWithUserAccount(t, dg, false) alterPredicateWithUserAccount(t, dg, false) createGroupAndAcls(t, unusedGroup, false) - // wait for 35 seconds to ensure the new acl have reached all acl caches - glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed") - time.Sleep(35 * time.Second) + // wait for 6 seconds to ensure the new acl have reached all acl caches + glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed") + time.Sleep(6 * time.Second) // now all these operations should fail since there are rules defined on the unusedGroup queryPredicateWithUserAccount(t, dg, true) @@ -141,19 +141,19 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) { // create the dev group and add the user to it createGroupAndAcls(t, devGroup, true) - // wait for 35 seconds to ensure the new acl have reached all acl caches - glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed") - time.Sleep(35 * time.Second) + // wait for 6 seconds to ensure the new acl have reached all acl caches + glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed") + time.Sleep(6 * time.Second) // now the operations should succeed again through the devGroup queryPredicateWithUserAccount(t, dg, false) // sleep long enough (10s per the docker-compose.yml) // for the accessJwt to expire in order to test auto login through refresh jwt - glog.Infof("Sleeping for 12 seconds for accessJwt to expire") - time.Sleep(12 * time.Second) + glog.Infof("Sleeping for 4 seconds for accessJwt to expire") + time.Sleep(4 * time.Second) mutatePredicateWithUserAccount(t, dg, false) - glog.Infof("Sleeping for 12 seconds for accessJwt to expire") - time.Sleep(12 * time.Second) + glog.Infof("Sleeping for 4 seconds for accessJwt to expire") + time.Sleep(4 * time.Second) alterPredicateWithUserAccount(t, dg, false) } @@ -356,9 +356,9 @@ func TestPredicateRegex(t *testing.T) { alterPredicateWithUserAccount(t, dg, false) createGroupAndAcls(t, unusedGroup, false) - // wait for 35 seconds to ensure the new acl have reached all acl caches - glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed") - time.Sleep(35 * time.Second) + // wait for 6 seconds to ensure the new acl have reached all acl caches + glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed") + time.Sleep(6 * time.Second) // the operations should all fail when there is a rule defined, but the current user is not // allowed queryPredicateWithUserAccount(t, dg, true) @@ -406,8 +406,8 @@ func TestPredicateRegex(t *testing.T) { predRegex, devGroup, string(errOutput)) } - glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed") - time.Sleep(35 * time.Second) + glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed") + time.Sleep(6 * time.Second) queryPredicateWithUserAccount(t, dg, false) mutatePredicateWithUserAccount(t, dg, false) // the alter operation should still fail since the regex pred does not have the Modify