Add ProjectScopedCache and update ReloadablePlugin

jfreden · jfreden · commit 827ec0e65d7b · 2025-02-27T13:34:04.000+01:00
diff --git a/server/src/main/java/org/elasticsearch/node/NodeConstruction.java b/server/src/main/java/org/elasticsearch/node/NodeConstruction.java
@@ -52,6 +52,7 @@
 import org.elasticsearch.cluster.metadata.MetadataDataStreamsService;
 import org.elasticsearch.cluster.metadata.MetadataIndexTemplateService;
 import org.elasticsearch.cluster.metadata.MetadataUpdateSettingsService;
+import org.elasticsearch.cluster.metadata.ProjectId;
 import org.elasticsearch.cluster.metadata.ProjectMetadata;
 import org.elasticsearch.cluster.metadata.SystemIndexMetadataUpgradeService;
 import org.elasticsearch.cluster.metadata.TemplateUpgradeService;
@@ -1517,12 +1518,26 @@ private CircuitBreakerService createCircuitBreakerService(
      * @return A single ReloadablePlugin that, upon reload, reloads the plugins it wraps
      */
     private static ReloadablePlugin wrapPlugins(List<ReloadablePlugin> reloadablePlugins) {
-        return settings -> {
-            for (ReloadablePlugin plugin : reloadablePlugins) {
-                try {
-                    plugin.reload(settings);
-                } catch (IOException e) {
-                    throw new UncheckedIOException(e);
+        return new ReloadablePlugin() {
+            @Override
+            public void reload(Settings settings) throws Exception {
+                for (ReloadablePlugin plugin : reloadablePlugins) {
+                    try {
+                        plugin.reload(settings);
+                    } catch (IOException e) {
+                        throw new UncheckedIOException(e);
+                    }
+                }
+            }
+
+            @Override
+            public void reload(ProjectId projectId, Settings settings) throws Exception {
+                for (ReloadablePlugin plugin : reloadablePlugins) {
+                    try {
+                        plugin.reload(projectId, settings);
+                    } catch (IOException e) {
+                        throw new UncheckedIOException(e);
+                    }
                 }
             }
         };
diff --git a/server/src/main/java/org/elasticsearch/plugins/ReloadablePlugin.java b/server/src/main/java/org/elasticsearch/plugins/ReloadablePlugin.java
@@ -9,6 +9,7 @@
 
 package org.elasticsearch.plugins;
 
+import org.elasticsearch.cluster.metadata.ProjectId;
 import org.elasticsearch.common.settings.Settings;
 
 /**
@@ -41,4 +42,6 @@ public interface ReloadablePlugin {
      *             if the offending call didn't happen.
      */
     void reload(Settings settings) throws Exception;
+
+    default void reload(ProjectId projectId, Settings settings) throws Exception {}
 }
diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java
@@ -61,6 +61,7 @@
 import org.elasticsearch.core.CharArrays;
 import org.elasticsearch.core.CheckedFunction;
 import org.elasticsearch.core.CheckedRunnable;
+import org.elasticsearch.core.FixForMultiProject;
 import org.elasticsearch.core.IOUtils;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.PathUtils;
@@ -418,7 +419,7 @@ public void initClient() throws IOException {
                 .collect(Collectors.toSet());
             assert semanticNodeVersions.isEmpty() == false || serverless;
 
-            testFeatureService = createTestFeatureService(getClusterStateFeatures(adminClient), semanticNodeVersions);
+            testFeatureService = createTestFeatureService(getClusterStateFeatures(adminClient, multiProjectTest()), semanticNodeVersions);
         }
 
         assert testFeatureServiceInitialized();
@@ -1818,6 +1819,11 @@ public final void ensureGreen(RestClient client, String index) throws IOExceptio
         });
     }
 
+    @FixForMultiProject // Remove when cluster state API can be called in multi project mode without the query param
+    protected boolean multiProjectTest() {
+        return false;
+    }
+
     protected static void ensureHealth(Consumer<Request> requestConsumer) throws IOException {
         ensureHealth("", requestConsumer);
     }
@@ -2374,7 +2380,11 @@ public void ensurePeerRecoveryRetentionLeasesRenewedAndSynced(String index) thro
     }
 
     protected static Map<String, Set<String>> getClusterStateFeatures(RestClient adminClient) throws IOException {
-        final Request request = new Request("GET", "_cluster/state");
+        return getClusterStateFeatures(adminClient, false);
+    }
+
+    protected static Map<String, Set<String>> getClusterStateFeatures(RestClient adminClient, boolean multiProject) throws IOException {
+        final Request request = new Request("GET", "_cluster/state" + (multiProject ? "?multi_project=true" : ""));
         request.addParameter("filter_path", "nodes_features");
 
         final Response response = adminClient.performRequest(request);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealm.java
@@ -9,6 +9,7 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.cache.Cache;
 import org.elasticsearch.common.cache.CacheBuilder;
+import org.elasticsearch.common.cache.CacheLoader;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.util.concurrent.ListenableFuture;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -32,25 +33,62 @@
 
 public abstract class CachingUsernamePasswordRealm extends UsernamePasswordRealm implements CachingRealm {
 
-    private final Cache<String, ListenableFuture<CachedResult>> cache;
+    private final UserAuthenticationCache cache;
     private final ThreadPool threadPool;
     private final boolean authenticationEnabled;
-    final Hasher cacheHasher;
+    protected final Hasher credentialHasher;
 
     protected CachingUsernamePasswordRealm(RealmConfig config, ThreadPool threadPool) {
+        this(config, threadPool, buildDefaultCache(config));
+    }
+
+    protected CachingUsernamePasswordRealm(RealmConfig config, ThreadPool threadPool, UserAuthenticationCache cache) {
         super(config);
-        cacheHasher = Hasher.resolve(this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_HASH_ALGO_SETTING));
+        credentialHasher = Hasher.resolve(this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_HASH_ALGO_SETTING));
         this.threadPool = threadPool;
-        final TimeValue ttl = this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING);
+        this.authenticationEnabled = config.getSetting(CachingUsernamePasswordRealmSettings.AUTHC_ENABLED_SETTING);
+        this.cache = cache;
+    }
+
+    private static UserAuthenticationCache buildDefaultCache(RealmConfig config) {
+        final TimeValue ttl = config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_TTL_SETTING);
         if (ttl.getNanos() > 0) {
-            cache = CacheBuilder.<String, ListenableFuture<CachedResult>>builder()
+            final Cache<String, ListenableFuture<CachedResult>> cache = CacheBuilder.<String, ListenableFuture<CachedResult>>builder()
                 .setExpireAfterWrite(ttl)
-                .setMaximumWeight(this.config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_MAX_USERS_SETTING))
+                .setMaximumWeight(config.getSetting(CachingUsernamePasswordRealmSettings.CACHE_MAX_USERS_SETTING))
                 .build();
-        } else {
-            cache = null;
+            return new UserAuthenticationCache() {
+                @Override
+                public void invalidate(String key) {
+                    cache.invalidate(key);
+                }
+
+                @Override
+                public void invalidate(String key, ListenableFuture<CachedResult> value) {
+                    cache.invalidate(key, value);
+                }
+
+                @Override
+                public void invalidateAll() {
+                    cache.invalidateAll();
+                }
+
+                @Override
+                public int count() {
+                    return cache.count();
+                }
+
+                @Override
+                public ListenableFuture<CachedResult> computeIfAbsent(
+                    String key,
+                    CacheLoader<String, ListenableFuture<CachedResult>> loader
+                ) throws ExecutionException {
+                    return cache.computeIfAbsent(key, loader);
+                }
+            };
         }
-        this.authenticationEnabled = config.getSetting(CachingUsernamePasswordRealmSettings.AUTHC_ENABLED_SETTING);
+
+        return null;
     }
 
     @Override
@@ -122,6 +160,7 @@ public final void authenticate(AuthenticationToken authToken, ActionListener<Aut
      * @param listener to be called at completion
      */
     private void authenticateWithCache(UsernamePasswordToken token, ActionListener<AuthenticationResult<User>> listener) {
+        logger.info("AUTH WITH CACHE");
         assert cache != null;
         try {
             final AtomicBoolean authenticationInCache = new AtomicBoolean(true);
@@ -130,6 +169,7 @@ private void authenticateWithCache(UsernamePasswordToken token, ActionListener<A
                 return new ListenableFuture<>();
             });
             if (authenticationInCache.get()) {
+                logger.info("IN CACHE");
                 // there is a cached or an inflight authenticate request
                 listenableCacheEntry.addListener(ActionListener.wrap(cachedResult -> {
                     final boolean credsMatch = cachedResult.verify(token.credentials());
@@ -196,8 +236,10 @@ private void authenticateWithCache(UsernamePasswordToken token, ActionListener<A
                     name(),
                     token.principal()
                 );
+                logger.info("ATTEMPTING AUTH");
                 // attempt authentication against the authentication source
                 doAuthenticate(token, ActionListener.wrap(authResult -> {
+                    logger.info("GOT AUTH RESULT: " + authResult);
                     if (authResult.isAuthenticated() == false) {
                         logger.trace("realm [{}] did not authenticate user [{}] ([{}])", name(), token.principal(), authResult);
                         // a new request should trigger a new authentication
@@ -217,7 +259,9 @@ private void authenticateWithCache(UsernamePasswordToken token, ActionListener<A
                     // notify any forestalled request listeners; they will not reach to the
                     // authentication request and instead will use this result if they contain
                     // the same credentials
-                    listenableCacheEntry.onResponse(new CachedResult(authResult, cacheHasher, authResult.getValue(), token.credentials()));
+                    listenableCacheEntry.onResponse(
+                        new CachedResult(authResult, credentialHasher, authResult.getValue(), token.credentials())
+                    );
                     listener.onResponse(authResult);
                 }, e -> {
                     cache.invalidate(token.principal(), listenableCacheEntry);
@@ -282,7 +326,7 @@ private void lookupWithCache(String username, ActionListener<User> listener) {
             if (false == lookupInCache.get()) {
                 // attempt lookup against the user directory
                 doLookupUser(username, ActionListener.wrap(user -> {
-                    final CachedResult result = new CachedResult(AuthenticationResult.notHandled(), cacheHasher, user, null);
+                    final CachedResult result = new CachedResult(AuthenticationResult.notHandled(), credentialHasher, user, null);
                     if (user == null) {
                         // user not found, invalidate cache so that subsequent requests are forwarded to
                         // the user directory
@@ -311,7 +355,20 @@ private void lookupWithCache(String username, ActionListener<User> listener) {
 
     protected abstract void doLookupUser(String username, ActionListener<User> listener);
 
-    private static class CachedResult {
+    protected interface UserAuthenticationCache {
+        void invalidate(String key);
+
+        void invalidate(String key, ListenableFuture<CachedResult> value);
+
+        void invalidateAll();
+
+        int count();
+
+        ListenableFuture<CachedResult> computeIfAbsent(String key, CacheLoader<String, ListenableFuture<CachedResult>> loader)
+            throws ExecutionException;
+    }
+
+    protected static class CachedResult {
         private final AuthenticationResult<User> authenticationResult;
         private final User user;
         private final char[] hash;
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ProjectScopedCache.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ProjectScopedCache.java
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java
