Rhino-Security and second-level cache

[vandalo]

I am pretty sure that this question has been asked many times but I
haven't been able to find an answer yet.
DetachUserFromGroup and/or AssociateUserWith members of
AuthorizationRepository don't seem to invalidate the second-level
cache.
I've tried to investigate more but my knowledge of Nhibernate is too
poor at the moment to find a proper solution.
I've downloaded Rhino-Security from here: https://github.com/ayende/rhino-security
and extended AuthorizationServiceWithSecondLevelCacheFixture.

The DatabaseFixture basically creates a user, 3 groups and associate
the user with all the groups:

user = new User { Name = "Ayende" };

session.Save(user);

authorizationService =
ServiceLocator.Current.GetInstance<IAuthorizationService>();
permissionService =
ServiceLocator.Current.GetInstance<IPermissionsService>();
permissionsBuilderService =
ServiceLocator.Current.GetInstance<IPermissionsBuilderService>();
authorizationRepository =
ServiceLocator.Current.GetInstance<IAuthorizationRepository>();

authorizationRepository.CreateUsersGroup("Administrators");
authorizationRepository.CreateUsersGroup("Users");
authorizationRepository.CreateUsersGroup("Guests");

authorizationRepository.AssociateUserWith(user, "Administrators");
authorizationRepository.AssociateUserWith(user, "Users");
authorizationRepository.AssociateUserWith(user, "Guests");

I've added this fixture

[Fact]
public void Test_Associated_Users_Group_For()
{

session.Flush();
session.Transaction.Commit();
session.Dispose();

using (var s2 = factory.OpenSession())
{
using (var tx = s2.BeginTransaction())
{
SillyContainer.SessionProvider = () => s2;

var User = s2.CreateCriteria<User>()
.Add(Restrictions.Eq("Name", "Ayende"))
.UniqueResult<User>();

var anotherAuthorizationRepository =
ServiceLocator.Current.GetInstance<IAuthorizationRepository>();

var Groups =
anotherAuthorizationRepository.GetAssociatedUsersGroupFor(User);

anotherAuthorizationRepository.DetachUserFromGroup(User,
"Guests");

s2.Flush();
tx.Commit();
}
}
using (var s3 = factory.OpenSession())
{
using (var tx = s3.BeginTransaction())
{
SillyContainer.SessionProvider = () => s3;

var User = s3.CreateCriteria<User>()
.Add(Restrictions.Eq("Name", "Ayende"))
.UniqueResult<User>();

var anotherAuthorizationRepository =
ServiceLocator.Current.GetInstance<IAuthorizationRepository>();
var Groups =
anotherAuthorizationRepository.GetAssociatedUsersGroupFor(User);

tx.Commit();
}
}
}


The 2nd session detaches the user from the group Guests but the 3rd
session still fetches 3 groups associated with the user.
It seems that the second-level cache can't be invalidated.
Is there anyone who can help me?

[David Archer]

It's a known issue -- Google it and you'll see others are having the
same problem. I'm not experienced enough with NH to know what the root
cause is here. :(

I have however just submitted a pull request on Github to Ayende with
a failing unit test illustrating the problem.

https://github.com/ayende/rhino-security/pull/8


-- David Archer

[vandalo]

Thanks David,

Alberto

[RickB]

Does anyone know if this issue has been fixed?

Thank you,

Rick

> > > Is there anyone who can help me?- Hide quoted text -
>
> - Show quoted text -

[Nathan Stott]

It has yet to be fixed. If you'd like to submit a patch and a pull
request I will happily merge it.

> --
> You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group.
> To post to this group, send email to rhino-t...@googlegroups.com.
> To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en.
>
>

[RickB]

It looks like group.Users.Remove(user) (Services
\AuthorizationRepository.cs line 525) is not actually removing the
user from the group. I don't know enough about how the system works
under the hood to come up with a fix.

Do you think you could please dig into it a bit? I bet it's an easy
fix for someone who is familiar with how it works.

Thank you!

Rick

> > For more options, visit this group athttp://groups.google.com/group/rhino-tools-dev?hl=en.- Hide quoted text -

[RickB]

Hello? Is anyone home?

> > > For more options, visit this group athttp://groups.google.com/group/rhino-tools-dev?hl=en.-Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -

[Nathan Stott]

I'm home. My use of rhino security is in projects that are in the
maintenance phase, not the new development phase. I will be happy to
apply any patches you create; however, if you're waiting on me to dig
into an issue that doesn't directly involve maintaining one of my
existing sites using rhino security, you're going to be waiting for
quite a while.

Good luck and if you dig into the issue and resolve it, I'll be happy
to apply your commit.

[vandalo]

I've spent these last two days trying to dig into this issue. My
knowledge of nhibernate is not that huge so it took me
a while to figure out things.
It seems to me that the problem is the fact that UserGroups contains
this collection of Users (the collection is cachable)
but it is not responsible for it. There's no inverse attribute set.
After some debugging (and reading some papers found on the Internet)
I've found out that the only way to fix this is to
evict all the queries in the cache just after the user has been
removed from the group.

I would change this code here:

public void DetachUserFromGroup(IUser user, string usersGroupName)
{
UsersGroup group = GetUsersGroupByName(usersGroupName);
Guard.Against(group == null, "There is no users group named: " +
usersGroupName);

group.Users.Remove(user);

session.SessionFactory.EvictQueries();
}

and, probably, the same associating the user to a group.
I've tried different kind of eviction (on collections and entities)
but nothing really changes.
The only way is to evict all the query in the cache.

> >> > > For more options, visit this group athttp://groups.google.com/group/rhino-tools-dev?hl=en.-Hidequoted text -

[RickB]

Thank you for looking at this. Your two changes work great for
removing a user from a group. However, adding users has the same issue
as you suggested.

Calling GetAssociatedUsersGroupFor after adding a user to the group
does not return the newly associated group.

The analogous change probably needs to be made to the association
code. I am a bit reluctant to try it myself not fully understanding
the ramifications of the change. My first attempt did not work.

Perhaps you can finish off the change? I’d be happy to test it for
you.

Thank you again!

On Apr 12, 8:17 am, vandalo <alberto.bas...@gmail.com> wrote:
> I've spent these last two days trying to dig into this issue. My
> knowledge of nhibernate is not that huge so it took me
> a while to figure out things.
> It seems to me that the problem is the fact that UserGroups contains
> this collection of Users (the collection is cachable)
> but it is not responsible for it. There's no inverse attribute set.
> After some debugging (and reading some papers found on the Internet)
> I've found out that the only way to fix this is to

> evict all the queries in thecachejust after the user has been

> > >> > >> > > It seems that thesecond-levelcachecan't be invalidated.

> > >> > >> > > Is there anyone who can help me?- Hide quoted text -
>
> > >> > >> - Show quoted text -
>
> > >> > > --
> > >> > > You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group.
> > >> > > To post to this group, send email to rhino-t...@googlegroups.com.
> > >> > > To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

> > >> > > For more options, visit this group athttp://groups.google.com/group/rhino-tools-dev?hl=en.-Hidequotedtext -

>
> > >> > - Show quoted text -- Hide quoted text -
>
> > >> - Show quoted text -
>
> > > --
> > > You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group.
> > > To post to this group, send email to rhino-t...@googlegroups.com.
> > > To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

> > > For more options, visit this group athttp://groups.google.com/group/rhino-tools-dev?hl=en.- Hide quoted text -

[Remco Ros]

Hi Rick,

I have never used rhino-security, so I can't be 100% sure about the rammification. But as far as I can see the only place where data access code lives is in that repository.

There are two options:
- evict the whole query cache after each change (this has some performance implications when you're doing a lot of updates/reads at the same time, because after each update the whole query cache is evicted)
- split the queries in different cache regions (using SetCacheRegion) and evict that regions query cache whenever an update occurs which should invalidate that region.

If you can write the failing tests, I can implement selective query eviction like I did for the first test you wrote. (https://github.com/remcoros/rhino-security)

Also maybe Nathan can have a look at this?

Remco

[Nathan Stott]

Can you send a pull request? The only recent pull request I've
received is this one:
https://github.com/vandalo/rhino-security/commit/0795e30ee8b7dd8651adc443190a98aee6befc1e#comments

[vandalo]

I don't understand who's managing this project. I've pulled a request
and submitted some changes (with test-case as required) but it's just
on my account.
Nobody replied or bothered to apply these changes.
Now I was looking at RemCoros repository and found out that he made
some changes but they do exist only in it's project.

Alberto

On Apr 22, 11:33 am, Nathan Stott <nrst...@gmail.com> wrote:
> Can you send a pull request?  The only recent pull request I've

> received is this one:https://github.com/vandalo/rhino-security/commit/0795e30ee8b7dd8651ad...

[Remco Ros]

Nathan manages this project as far as I know.

The changes I made where just to demonstrate how to fix (part of) the issue with 2nd level cache. It is not complete, that is why I didn't send a pull request for it.

Take it as an example to fix your issues. implement it on your fork, send a pull request and wait for Nathan to accept it.

Remco

[Nathan Stott]

I made a comment about your pull request and you replied to it, but
never changed what we talked about in the comments.

[Bhoomi]

Is this issue resolved?

I am facing the same issue.

[Nathan Stott]

No, it is not

[Oren Eini (Ayende Rahien)]

What issue? This thread is from 2 years ago

On Friday, April 12, 2013, adina wrote:

Any news for this issues? I am running also into this problem.

To unsubscribe from this group and stop receiving emails from it, send an email to rhino-tools-d...@googlegroups.com.

To post to this group, send email to rhino-t...@googlegroups.com.

Visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[adina]

The issue is described here: https://groups.google.com/d/msg/rhino-tools-dev/x8jkSMglOaE/fu-dXtqfnNAJ

To unsubscribe from this group and stop receiving emails from it, send an email to rhino-tools-dev+unsubscribe@googlegroups.com.
To post to this group, send email to rhino-tools-dev@googlegroups.com.