Reduce the value of ACL TTLs to reduce the test running time (hypermo…

…deinc#3164)
dna2fork · Jul 19, 2019 · 902c668 · 902c668
1 parent d5cc490
commit 902c668
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 33 deletions.
diff --git a/compose/compose.go b/compose/compose.go
@@ -213,7 +213,7 @@ func getAlpha(idx int) Service {
 	if opts.EnterpriseMode {
 		svc.Command += " --enterprise_features"
 		if opts.AclSecret != "" {
-			svc.Command += " --acl_secret_file=/secret/hmac --acl_access_ttl 10s"
+			svc.Command += " --acl_secret_file=/secret/hmac --acl_access_ttl 3s --acl_cache_ttl 5s"
 			svc.Volumes = append(svc.Volumes, Volume{
 				Type:     "bind",
 				Source:   opts.AclSecret,

diff --git a/dgraph/cmd/alpha/run.go b/dgraph/cmd/alpha/run.go
@@ -137,6 +137,8 @@ they form a Raft group and provide synchronous replication.
 		"Enterprise feature.")
 	flag.Duration("acl_refresh_ttl", 30*24*time.Hour, "The TTL for the refresh jwt. "+
 		"Enterprise feature.")
+	flag.Duration("acl_cache_ttl", 30*time.Second, "The interval to refresh the acl cache. "+
+		"Enterprise feature.")
 	flag.Float64P("lru_mb", "l", -1,
 		"Estimated memory the LRU cache can take. "+
 			"Actual usage by the process would be more than specified here.")
@@ -459,6 +461,7 @@ func run() {
 		opts.HmacSecret = hmacSecret
 		opts.AccessJwtTtl = Alpha.Conf.GetDuration("acl_access_ttl")
 		opts.RefreshJwtTtl = Alpha.Conf.GetDuration("acl_refresh_ttl")
+		opts.AclRefreshInterval = Alpha.Conf.GetDuration("acl_cache_ttl")
 
 		glog.Info("HMAC secret loaded successfully.")
 	}

diff --git a/dgraph/docker-compose.yml b/dgraph/docker-compose.yml
@@ -78,7 +78,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
+    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
 
   dg2:
     image: dgraph/dgraph:latest
@@ -101,7 +101,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
+    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
 
   dg3:
     image: dgraph/dgraph:latest
@@ -124,7 +124,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
+    command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
   dg4:
     image: dgraph/dgraph:latest
     container_name: bank-dg4
@@ -146,7 +146,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg4:7184 --lru_mb=1024 --zero=zero1:5080 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
+    command: /gobin/dgraph alpha --my=dg4:7184 --lru_mb=1024 --zero=zero1:5080 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
   dg5:
     image: dgraph/dgraph:latest
     container_name: bank-dg5
@@ -168,7 +168,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg5:7185 --lru_mb=1024 --zero=zero1:5080 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
+    command: /gobin/dgraph alpha --my=dg5:7185 --lru_mb=1024 --zero=zero1:5080 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
   dg6:
     image: dgraph/dgraph:latest
     container_name: bank-dg6
@@ -190,4 +190,4 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg6:7186 --lru_mb=1024 --zero=zero1:5080 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
+    command: /gobin/dgraph alpha --my=dg6:7186 --lru_mb=1024 --zero=zero1:5080 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 3s --acl_cache_ttl 5s
diff --git a/edgraph/access_ee.go b/edgraph/access_ee.go
@@ -288,7 +288,7 @@ func RefreshAcls(closer *y.Closer) {
 		return
 	}
 
-	ticker := time.NewTicker(30 * time.Second)
+	ticker := time.NewTicker(Config.AclRefreshInterval)
 	defer ticker.Stop()
 
 	// retrieve the full data set of ACLs from the corresponding alpha server, and update the

diff --git a/edgraph/config.go b/edgraph/config.go
@@ -40,9 +40,10 @@ type Options struct {
 	AuthToken      string
 	AllottedMemory float64
 
-	HmacSecret    []byte
-	AccessJwtTtl  time.Duration
-	RefreshJwtTtl time.Duration
+	HmacSecret         []byte
+	AccessJwtTtl       time.Duration
+	RefreshJwtTtl      time.Duration
+	AclRefreshInterval time.Duration
 }
 
 var Config Options

diff --git a/ee/acl/acl_curl_test.go b/ee/acl/acl_curl_test.go
@@ -75,8 +75,8 @@ func TestCurlAuthorization(t *testing.T) {
 	// sleep long enough (longer than 10s, the access JWT TTL defined in the docker-compose.yml
 	// in this directory) for the accessJwt to expire, in order to test auto login through refresh
 	// JWT
-	glog.Infof("Sleeping for 12 seconds for accessJwt to expire")
-	time.Sleep(12 * time.Second)
+	glog.Infof("Sleeping for 4 seconds for accessJwt to expire")
+	time.Sleep(4 * time.Second)
 	verifyCurlCmd(t, queryArgs(), &FailureConfig{
 		shouldFail: true,
 		failMsg:    "Token is expired",
@@ -101,9 +101,9 @@ func TestCurlAuthorization(t *testing.T) {
 	})
 
 	createGroupAndAcls(t, unusedGroup, false)
-	// wait for 35 seconds to ensure the new acl have reached all acl caches
-	glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
-	time.Sleep(35 * time.Second)
+	// wait for 6 seconds to ensure the new acl have reached all acl caches
+	glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
+	time.Sleep(6 * time.Second)
 	verifyCurlCmd(t, queryArgs(), &FailureConfig{
 		shouldFail: true,
 		failMsg:    "Token is expired",
@@ -130,8 +130,8 @@ func TestCurlAuthorization(t *testing.T) {
 	})
 
 	createGroupAndAcls(t, devGroup, true)
-	glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
-	time.Sleep(35 * time.Second)
+	glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
+	time.Sleep(6 * time.Second)
 	// refresh the jwts again
 	accessJwt, refreshJwt, err = z.HttpLogin(&z.LoginParams{
 		Endpoint:   loginEndpoint,

diff --git a/ee/acl/acl_test.go b/ee/acl/acl_test.go
@@ -130,9 +130,9 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) {
 	mutatePredicateWithUserAccount(t, dg, false)
 	alterPredicateWithUserAccount(t, dg, false)
 	createGroupAndAcls(t, unusedGroup, false)
-	// wait for 35 seconds to ensure the new acl have reached all acl caches
-	glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
-	time.Sleep(35 * time.Second)
+	// wait for 6 seconds to ensure the new acl have reached all acl caches
+	glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
+	time.Sleep(6 * time.Second)
 
 	// now all these operations should fail since there are rules defined on the unusedGroup
 	queryPredicateWithUserAccount(t, dg, true)
@@ -141,19 +141,19 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) {
 	// create the dev group and add the user to it
 	createGroupAndAcls(t, devGroup, true)
 
-	// wait for 35 seconds to ensure the new acl have reached all acl caches
-	glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
-	time.Sleep(35 * time.Second)
+	// wait for 6 seconds to ensure the new acl have reached all acl caches
+	glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
+	time.Sleep(6 * time.Second)
 
 	// now the operations should succeed again through the devGroup
 	queryPredicateWithUserAccount(t, dg, false)
 	// sleep long enough (10s per the docker-compose.yml)
 	// for the accessJwt to expire in order to test auto login through refresh jwt
-	glog.Infof("Sleeping for 12 seconds for accessJwt to expire")
-	time.Sleep(12 * time.Second)
+	glog.Infof("Sleeping for 4 seconds for accessJwt to expire")
+	time.Sleep(4 * time.Second)
 	mutatePredicateWithUserAccount(t, dg, false)
-	glog.Infof("Sleeping for 12 seconds for accessJwt to expire")
-	time.Sleep(12 * time.Second)
+	glog.Infof("Sleeping for 4 seconds for accessJwt to expire")
+	time.Sleep(4 * time.Second)
 	alterPredicateWithUserAccount(t, dg, false)
 }
 
@@ -356,9 +356,9 @@ func TestPredicateRegex(t *testing.T) {
 	alterPredicateWithUserAccount(t, dg, false)
 	createGroupAndAcls(t, unusedGroup, false)
 
-	// wait for 35 seconds to ensure the new acl have reached all acl caches
-	glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
-	time.Sleep(35 * time.Second)
+	// wait for 6 seconds to ensure the new acl have reached all acl caches
+	glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
+	time.Sleep(6 * time.Second)
 	// the operations should all fail when there is a rule defined, but the current user is not
 	// allowed
 	queryPredicateWithUserAccount(t, dg, true)
@@ -406,8 +406,8 @@ func TestPredicateRegex(t *testing.T) {
 			predRegex, devGroup, string(errOutput))
 	}
 
-	glog.Infof("Sleeping for 35 seconds for acl caches to be refreshed")
-	time.Sleep(35 * time.Second)
+	glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
+	time.Sleep(6 * time.Second)
 	queryPredicateWithUserAccount(t, dg, false)
 	mutatePredicateWithUserAccount(t, dg, false)
 	// the alter operation should still fail since the regex pred does not have the Modify