[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is the graph cache thread-safe ?

On 07/12/2013 05:41 AM, Emmanuel LÃcharny wrote:

Hi Shawn,

yesterday, while stepping the code, I saw that we are using a cache to
handle the hierarchical relationship between roles. I'm afraid that the
'graph' object used to cache those elements is not thread-safe : we
protect it against concurrent modificatins, but that's not enough, as we
should also protect the graph against concurrent access. You may have
corner cases where one thread could fetch some data from this cache
while at the same time another thread is modifying the cache.

I'm just saying that from the code I have read yesterday in the train,
so I'm not 100% sure that this part of the code is at risk. I will
probably do some more investigation, but I'd like to know what are your
thoughts about it.

Thanks !
Emmanuel, share your concern. Ehcache is used to store the graphing object(s) which perhaps mitigates our risk to the corner case? If you want to see where all caching is being applied within fortress, check out the ehcache.xml: 

<?xml version="1.0" encoding="UTF-8"?>

<!--
Fortress CacheManager Configuration
==========================
This ehcache.xml corresponds to a single CacheManager.
-->
<ehcache name="fortress" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
         xsi:noNamespaceSchemaLocation="ehcache.xsd"
         updateCheck="true" monitoring="autodetect"
         dynamicConfig="true"
        >

    <cacheManagerEventListenerFactory class="" properties=""/>

    <!--
    Default Cache configuration. These settings will be applied to caches
    created programmatically using CacheManager.add(String cacheName).
This element is optional, and using CacheManager.add(String cacheName) when 
    its not present will throw CacheException
The defaultCache has an implicit name "default" which is a reserved cache name. 
    -->
    <defaultCache
           eternal="false"
           overflowToDisk="false"
           timeToIdleSeconds="120"
           timeToLiveSeconds="120"
           diskSpoolBufferSizeMB="30"
           maxElementsOnDisk="10"
           diskPersistent="false"
           diskExpiryThreadIntervalSeconds="120"
           memoryStoreEvictionPolicy="LRU"
           />

    <!--
Thic cache contains password policy entries. It is used to save a read on User password policy edits. There should be one element for every tenant. 
    -->
    <cache name="fortress.policies"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
Contains the value OrgUnits for User and Permissions. There should be two elements for every tenant. 
    -->
    <cache name="fortress.ous"
           maxElementsInMemory="2"
           maxElementsOnDisk="2"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
Contains the JGraphT hierarchies for RBAC roles. There should be one element for every tenant. 
    -->
    <cache name="fortress.roles"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
Contains the JGraphT hierarchies for ARBAC roles. There should be one element for every tenant. 
    -->
    <cache name="fortress.admin.roles"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
Contains the JGraphT hierarchies for Perm OUs. There should be one element for every tenant. 
    -->
    <cache name="fortress.pso"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
Contains the JGraphT hierarchies for User OUs. There should be one element for every tenant. 
    -->
    <cache name="fortress.uso"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
Searchable cache contains Role<->DSD mapping. This configuration sets a fairly long TTL of 1 hour. 
    -->
    <cache name="fortress.dsd"
           maxElementsInMemory="1000"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="20"
           timeToIdleSeconds="3600"
           timeToLiveSeconds="3600"
           memoryStoreEvictionPolicy="LFU">
           <searchable>
<searchAttribute name="member" expression="value.getMember()"/> 
               <searchAttribute name="name" expression="value.getName()"/>
<searchAttribute name="contextId" expression="value.getContextId()"/> 
           </searchable>
        </cache>

    <!--
        Cache contains Role<->SSD mapping.
    -->
    <cache name="fortress.ssd"
           maxElementsInMemory="1000"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="20"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

</ehcache>


Shawn