Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce the value of ACL TTLs to reduce the test running time #3164

Merged
merged 2 commits into from
Mar 18, 2019
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Reduce the value of ACL TTLs to reduce the test running time
  • Loading branch information
Lucas Wang committed Mar 15, 2019

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 6196ce31e16c5f5fbaf21735611046e87ec94646
2 changes: 1 addition & 1 deletion compose/compose.go
Original file line number Diff line number Diff line change
@@ -213,7 +213,7 @@ func getAlpha(idx int) Service {
if opts.EnterpriseMode {
svc.Command += " --enterprise_features"
if opts.AclSecret != "" {
svc.Command += " --acl_secret_file=/secret/hmac --acl_access_ttl 10s"
svc.Command += " --acl_secret_file=/secret/hmac --acl_access_ttl 3s --acl_cache_ttl 5s"
svc.Volumes = append(svc.Volumes, Volume{
Type: "bind",
Source: opts.AclSecret,
3 changes: 3 additions & 0 deletions dgraph/cmd/alpha/run.go
Original file line number Diff line number Diff line change
@@ -137,6 +137,8 @@ they form a Raft group and provide synchronous replication.
"Enterprise feature.")
flag.Duration("acl_refresh_ttl", 30*24*time.Hour, "The TTL for the refresh jwt. "+
"Enterprise feature.")
flag.Duration("acl_cache_ttl", 30*time.Second, "The interval to refresh the acl cache. "+
"Enterprise feature.")
flag.Float64P("lru_mb", "l", -1,
"Estimated memory the LRU cache can take. "+
"Actual usage by the process would be more than specified here.")
@@ -459,6 +461,7 @@ func run() {
opts.HmacSecret = hmacSecret
opts.AccessJwtTtl = Alpha.Conf.GetDuration("acl_access_ttl")
opts.RefreshJwtTtl = Alpha.Conf.GetDuration("acl_refresh_ttl")
opts.AclRefreshInterval = Alpha.Conf.GetDuration("acl_cache_ttl")

glog.Info("HMAC secret loaded successfully.")
}
12 changes: 6 additions & 6 deletions dgraph/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -78,7 +78,7 @@ services:
labels:
cluster: test
service: alpha
command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s

dg2:
image: dgraph/dgraph:latest
@@ -101,7 +101,7 @@ services:
labels:
cluster: test
service: alpha
command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s

dg3:
image: dgraph/dgraph:latest
@@ -124,7 +124,7 @@ services:
labels:
cluster: test
service: alpha
command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
dg4:
image: dgraph/dgraph:latest
container_name: bank-dg4
@@ -146,7 +146,7 @@ services:
labels:
cluster: test
service: alpha
command: /gobin/dgraph alpha --my=dg4:7184 --lru_mb=1024 --zero=zero1:5080 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
command: /gobin/dgraph alpha --my=dg4:7184 --lru_mb=1024 --zero=zero1:5080 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
dg5:
image: dgraph/dgraph:latest
container_name: bank-dg5
@@ -168,7 +168,7 @@ services:
labels:
cluster: test
service: alpha
command: /gobin/dgraph alpha --my=dg5:7185 --lru_mb=1024 --zero=zero1:5080 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
command: /gobin/dgraph alpha --my=dg5:7185 --lru_mb=1024 --zero=zero1:5080 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
dg6:
image: dgraph/dgraph:latest
container_name: bank-dg6
@@ -190,4 +190,4 @@ services:
labels:
cluster: test
service: alpha
command: /gobin/dgraph alpha --my=dg6:7186 --lru_mb=1024 --zero=zero1:5080 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
command: /gobin/dgraph alpha --my=dg6:7186 --lru_mb=1024 --zero=zero1:5080 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
2 changes: 1 addition & 1 deletion edgraph/access_ee.go
Original file line number Diff line number Diff line change
@@ -288,7 +288,7 @@ func RefreshAcls(closer *y.Closer) {
return
}

ticker := time.NewTicker(30 * time.Second)
ticker := time.NewTicker(Config.AclRefreshInterval)
defer ticker.Stop()

// retrieve the full data set of ACLs from the corresponding alpha server, and update the
7 changes: 4 additions & 3 deletions edgraph/config.go
Original file line number Diff line number Diff line change
@@ -40,9 +40,10 @@ type Options struct {
AuthToken string
AllottedMemory float64

HmacSecret []byte
AccessJwtTtl time.Duration
RefreshJwtTtl time.Duration
HmacSecret []byte
AccessJwtTtl time.Duration
RefreshJwtTtl time.Duration
AclRefreshInterval time.Duration
}

var Config Options
14 changes: 7 additions & 7 deletions ee/acl/acl_curl_test.go
Original file line number Diff line number Diff line change
@@ -75,8 +75,8 @@ func TestCurlAuthorization(t *testing.T) {
// sleep long enough (longer than 10s, the access JWT TTL defined in the docker-compose.yml
// in this directory) for the accessJwt to expire, in order to test auto login through refresh
// JWT
glog.Infof("Sleeping for 12 seconds for accessJwt to expire")
time.Sleep(12 * time.Second)
glog.Infof("Sleeping for 4 seconds for accessJwt to expire")
time.Sleep(4 * time.Second)
verifyCurlCmd(t, queryArgs(), &FailureConfig{
shouldFail: true,
failMsg: "Token is expired",
@@ -101,9 +101,9 @@ func TestCurlAuthorization(t *testing.T) {
})

createGroupAndAcls(t, unusedGroup, false)
// wait for 35 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
time.Sleep(35 * time.Second)
// wait for 6 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)
verifyCurlCmd(t, queryArgs(), &FailureConfig{
shouldFail: true,
failMsg: "Token is expired",
@@ -130,8 +130,8 @@ func TestCurlAuthorization(t *testing.T) {
})

createGroupAndAcls(t, devGroup, true)
glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
time.Sleep(35 * time.Second)
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)
// refresh the jwts again
accessJwt, refreshJwt, err = z.HttpLogin(&z.LoginParams{
Endpoint: loginEndpoint,
30 changes: 15 additions & 15 deletions ee/acl/acl_test.go
Original file line number Diff line number Diff line change
@@ -130,9 +130,9 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) {
mutatePredicateWithUserAccount(t, dg, false)
alterPredicateWithUserAccount(t, dg, false)
createGroupAndAcls(t, unusedGroup, false)
// wait for 35 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
time.Sleep(35 * time.Second)
// wait for 6 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)

// now all these operations should fail since there are rules defined on the unusedGroup
queryPredicateWithUserAccount(t, dg, true)
@@ -141,19 +141,19 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) {
// create the dev group and add the user to it
createGroupAndAcls(t, devGroup, true)

// wait for 35 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
time.Sleep(35 * time.Second)
// wait for 6 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)

// now the operations should succeed again through the devGroup
queryPredicateWithUserAccount(t, dg, false)
// sleep long enough (10s per the docker-compose.yml)
// for the accessJwt to expire in order to test auto login through refresh jwt
glog.Infof("Sleeping for 12 seconds for accessJwt to expire")
time.Sleep(12 * time.Second)
glog.Infof("Sleeping for 4 seconds for accessJwt to expire")
time.Sleep(4 * time.Second)
mutatePredicateWithUserAccount(t, dg, false)
glog.Infof("Sleeping for 12 seconds for accessJwt to expire")
time.Sleep(12 * time.Second)
glog.Infof("Sleeping for 4 seconds for accessJwt to expire")
time.Sleep(4 * time.Second)
alterPredicateWithUserAccount(t, dg, false)
}

@@ -348,9 +348,9 @@ func TestPredicateRegex(t *testing.T) {
alterPredicateWithUserAccount(t, dg, false)
createGroupAndAcls(t, unusedGroup, false)

// wait for 35 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
time.Sleep(35 * time.Second)
// wait for 6 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)
// the operations should all fail when there is a rule defined, but the current user is not
// allowed
queryPredicateWithUserAccount(t, dg, true)
@@ -398,8 +398,8 @@ func TestPredicateRegex(t *testing.T) {
predRegex, devGroup, string(errOutput))
}

glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
time.Sleep(35 * time.Second)
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)
queryPredicateWithUserAccount(t, dg, false)
mutatePredicateWithUserAccount(t, dg, false)
// the alter operation should still fail since the regex pred does not have the Modify