SERVER-9518 Invalidate user cache periodically on mongos

3 files changed, 114 insertions, 1 deletions

diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index 693009406cc..dfb5e400c9f 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -49,7 +49,8 @@ env.StaticLibrary('authmongod',
 
 env.StaticLibrary('authmongos',
                   ['authz_manager_external_state_s.cpp',
-                   'authz_session_external_state_s.cpp'],
+                   'authz_session_external_state_s.cpp',
+                   'user_cache_invalidator_job.cpp'],
                   LIBDEPS=['authservercommon'])
 
 env.StaticLibrary('authmocks',
diff --git a/src/mongo/db/auth/user_cache_invalidator_job.cpp b/src/mongo/db/auth/user_cache_invalidator_job.cpp
new file mode 100644
index 00000000000..933358815eb
--- /dev/null
+++ b/src/mongo/db/auth/user_cache_invalidator_job.cpp
@@ -0,0 +1,74 @@
+/*    Copyright 2012 10gen Inc.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "mongo/pch.h"
+
+#include "mongo/db/auth/user_cache_invalidator_job.h"
+
+#include <string>
+
+#include "mongo/db/auth/authorization_manager.h"
+#include "mongo/db/client.h"
+#include "mongo/db/server_parameters.h"
+#include "mongo/util/background.h"
+#include "mongo/util/log.h"
+
+namespace mongo {
+namespace {
+
+    int userCacheInvalidationIntervalSecs;
+
+    class ExportedInvalidationIntervalParameter : public ExportedServerParameter<int> {
+    public:
+        ExportedInvalidationIntervalParameter() :
+            ExportedServerParameter(ServerParameterSet::getGlobal(),
+                                    "userCacheInvalidationIntervalSecs",
+                                    &userCacheInvalidationIntervalSecs,
+                                    true,
+                                    true) {}
+
+        virtual Status validate( const int& potentialNewValue )
+        {
+            if (potentialNewValue < 30) {
+                return Status(ErrorCodes::BadValue,
+                              "userCacheInvalidationIntervalSecs must be at least 30");
+            }
+            return Status::OK();
+        }
+    } exportedIntervalParam;
+
+} // namespace
+
+    void UserCacheInvalidator::run() {
+        if (!_authzManager->isAuthEnabled()) {
+            return; // Nothing to do
+        }
+
+        Client::initThread("UserCacheInvalidatorThread");
+        while (true) {
+            sleepsecs(userCacheInvalidationIntervalSecs);
+            if (inShutdown()) {
+                break;
+            }
+            LOG(1) << "Invalidating user cache" << endl;
+            _authzManager->invalidateUserCache();
+        }
+    }
+
+    std::string UserCacheInvalidator::name() const {
+        return "UserCacheInvalidatorThread";
+    }
+
+} // namespace mongo
diff --git a/src/mongo/db/auth/user_cache_invalidator_job.h b/src/mongo/db/auth/user_cache_invalidator_job.h
new file mode 100644
index 00000000000..23d2367d3d6
--- /dev/null
+++ b/src/mongo/db/auth/user_cache_invalidator_job.h
@@ -0,0 +1,38 @@
+/*    Copyright 2013 10gen Inc.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "mongo/util/background.h"
+
+#include <string>
+
+namespace mongo {
+
+    class AuthorizationManager;
+
+    // Background job that periodically causes the AuthorizationManager to throw out its in-memory
+    // cache of User objects (which contains the users' credentials, roles, privileges, etc).
+    class UserCacheInvalidator : public BackgroundJob {
+    public:
+        UserCacheInvalidator(AuthorizationManager* authzManager) : _authzManager(authzManager) {}
+
+    protected:
+        virtual std::string name() const;
+        virtual void run();
+
+    private:
+        AuthorizationManager* _authzManager;
+    };
+
+} // namespace mongo