Clear REST user cache when invalidating user cache by LJW21-02 · Pull Request #17250 · apache/iotdb
Conversation
This pull request introduces a mechanism to clear cached user authentication data in the REST external service when a user's permissions are invalidated, ensuring that permission changes take effect immediately across all service endpoints. It also improves configuration file resolution by considering an additional environment variable. The most important changes are grouped below:
User Cache Invalidation Integration:
- Added a new static method
clearUserCache(String userName)toRestServiceto allow clearing a specific user's cache from outside the REST service. - Implemented
clearUserCache(String userName)inUserCacheto remove cached entries for the specified user. - Modified
AuthorityChecker.invalidateCacheto invoke REST user cache invalidation by dynamically locating and calling theclearUserCachemethod via reflection, if the REST service is running. This ensures that user permission changes are immediately reflected in the REST service. - Added logging and error handling for the dynamic invocation of the cache clearing method in
AuthorityChecker. [1] [2]
Configuration Resolution Enhancement:
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull request overview
This PR wires user/role permission cache invalidation into the external-service subsystem so that running external services (notably REST) can clear per-user authentication caches when permissions change.
Changes:
- Adds a
clearUserCache(String userName)hook to the external service API (IExternalService) and implements it in REST (no-op in MQTT). - Introduces
ExternalServiceManagementService.clearServiceUserCache(...)and calls it fromAuthorityChecker.invalidateCache(...). - Adds username-based eviction support to the REST
UserCache.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/externalservice/ExternalServiceManagementService.java | Adds a method to propagate per-user cache clearing to running external services. |
| iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java | Triggers external-service user cache clearing during auth cache invalidation. |
| iotdb-api/external-service-api/src/main/java/org/apache/iotdb/externalservice/api/IExternalService.java | Extends the external service API with a per-user cache clearing method. |
| external-service-impl/rest/src/main/java/org/apache/iotdb/rest/protocol/filter/UserCache.java | Adds logic to evict cached REST auth entries for a given username. |
| external-service-impl/rest/src/main/java/org/apache/iotdb/rest/RestService.java | Implements the new external-service cache clearing hook for REST. |
| external-service-impl/mqtt/src/main/java/org/apache/iotdb/mqtt/MQTTService.java | Implements the new API method as a no-op for MQTT. |
Comments suppressed due to low confidence (1)
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java:135
- PR description mentions invoking REST cache invalidation via reflection and updating
IoTDBRestServiceDescriptorto considerCONFIGNODE_HOME, but the current changes callExternalServiceManagementServicedirectly andIoTDBRestServiceDescriptordoes not appear to referenceCONFIGNODE_HOME. Please update the PR description (or include the missing code changes) so reviewers/operators have an accurate picture of what is being shipped.
public static boolean invalidateCache(String username, String roleName) {
PipeInsertionDataNodeListener.getInstance().invalidateAllCache();
ExternalServiceManagementService.getInstance().clearServiceUserCache(username);
return authorityFetcher.get().getAuthorCache().invalidateCache(username, roleName);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters