Create a cache of group membership to speed up membership tests

This way we can more efficiently examine the groups that an account
is a member of by storing it in a hash within the JVM.  Group queries
should be fairly infrequent, so we use a secondary database connection
if we need to perform the lookup.  Very busy sites may need a larger
cache, but 4096 users should be sufficient for most servers and yet
not require too much memory within the JVM.

Signed-off-by: Shawn O. Pearce <sop@google.com>

appjar/src/main/java/com/google/gerrit/server/GerritServer.java

@@ -79,6 +79,7 @@ public class GerritServer {
   private final SignedToken xsrf;
   private final SignedToken account;
   private final RepositoryCache repositories;
+  private final GroupCache groupCache;
 
   private GerritServer() throws OrmException, XsrfException {
     db = createDatabase();
@@ -95,6 +96,8 @@ public class GerritServer {
     } else {
       repositories = null;
     }
+
+    groupCache = new GroupCache(db, sConfig);
   }
 
   private Database<ReviewDb> createDatabase() throws OrmException {
@@ -305,8 +308,8 @@ public class GerritServer {
     return repositories;
   }
 
-  /** Get the group whose members have full access to manage the site. */
-  public AccountGroup.Id getAdminGroupId() {
-    return sConfig.adminGroupId;
+  /** Get the group membership cache. */
+  public GroupCache getGroupCache() {
+    return groupCache;
   }
 }

appjar/src/main/java/com/google/gerrit/server/GroupAdminServiceImpl.java

@@ -40,18 +40,18 @@ import java.util.Set;
 
 public class GroupAdminServiceImpl extends BaseServiceImplementation implements
     GroupAdminService {
-  private final AccountGroup.Id adminId;
+  private final GroupCache groupCache;
 
   public GroupAdminServiceImpl(final GerritServer server) {
     super(server.getDatabase());
-    adminId = server.getAdminGroupId();
+    groupCache = server.getGroupCache();
   }
 
   public void ownedGroups(final AsyncCallback<List<AccountGroup>> callback) {
     run(callback, new Action<List<AccountGroup>>() {
       public List<AccountGroup> run(ReviewDb db) throws OrmException {
         final List<AccountGroup> result;
-        if (amAdmin(db)) {
+        if (groupCache.isAdministrator(RpcUtil.getAccountId())) {
           result = db.accountGroups().all().toList();
         } else {
           result = myOwnedGroups(db);
@@ -90,6 +90,8 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
         db.accountGroups().insert(Collections.singleton(group), txn);
         db.accountGroupMembers().insert(Collections.singleton(m), txn);
         txn.commit();
+        groupCache.notifyGroupAdd(m);
+
         return group.getId();
       }
     });
@@ -188,6 +190,8 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
 
         final AccountGroupMember m = new AccountGroupMember(key);
         db.accountGroupMembers().insert(Collections.singleton(m));
+        groupCache.notifyGroupAdd(m);
+
         final AccountGroupDetail d = new AccountGroupDetail();
         d.loadOneMember(db, a, m);
         return d;
@@ -204,7 +208,7 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
         for (final AccountGroupMember.Key k : keys) {
           if (!owned.contains(k.getAccountGroupId())) {
             if (amAdmin == null) {
-              amAdmin = amAdmin(db);
+              amAdmin = groupCache.isAdministrator(RpcUtil.getAccountId());
             }
             if (!amAdmin) {
               throw new Failure(new NoSuchEntityException());
@@ -215,6 +219,7 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
           final AccountGroupMember m = db.accountGroupMembers().get(k);
           if (m != null) {
             db.accountGroupMembers().delete(Collections.singleton(m));
+            groupCache.notifyGroupDelete(m);
           }
         }
         return VoidResult.INSTANCE;
@@ -222,23 +227,15 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
     });
   }
 
-  private static boolean amInGroup(final ReviewDb db,
-      final AccountGroup.Id groupId) throws OrmException {
-    return db.accountGroupMembers().get(
-        new AccountGroupMember.Key(RpcUtil.getAccountId(), groupId)) != null;
-  }
-
-  private boolean amAdmin(final ReviewDb db) throws OrmException {
-    return adminId != null && amInGroup(db, adminId);
-  }
-
   private void assertAmGroupOwner(final ReviewDb db,
       final AccountGroup.Id groupId) throws OrmException, Failure {
     final AccountGroup group = db.accountGroups().get(groupId);
     if (group == null) {
       throw new Failure(new NoSuchEntityException());
     }
-    if (!amInGroup(db, group.getOwnerGroupId()) && !amAdmin(db)) {
+    final Account.Id me = RpcUtil.getAccountId();
+    if (!groupCache.isInGroup(me, group.getOwnerGroupId())
+        && !groupCache.isAdministrator(me)) {
       throw new Failure(new NoSuchEntityException());
     }
   }
@@ -252,13 +249,12 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
     return r;
   }
 
-  private static List<AccountGroup> myOwnedGroups(final ReviewDb db)
+  private List<AccountGroup> myOwnedGroups(final ReviewDb db)
       throws OrmException {
+    final Account.Id me = RpcUtil.getAccountId();
     final List<AccountGroup> own = new ArrayList<AccountGroup>();
-    for (final AccountGroupMember m : db.accountGroupMembers().byAccount(
-        RpcUtil.getAccountId()).toList()) {
-      for (final AccountGroup g : db.accountGroups().ownedByGroup(
-          m.getAccountGroupId())) {
+    for (final AccountGroup.Id groupId : groupCache.getGroups(me)) {
+      for (final AccountGroup g : db.accountGroups().ownedByGroup(groupId)) {
         own.add(g);
       }
     }

appjar/src/main/java/com/google/gerrit/server/GroupCache.java

@@ -0,0 +1,152 @@
+// Copyright 2008 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.server;
+
+import com.google.gerrit.client.reviewdb.Account;
+import com.google.gerrit.client.reviewdb.AccountGroup;
+import com.google.gerrit.client.reviewdb.AccountGroupMember;
+import com.google.gerrit.client.reviewdb.ReviewDb;
+import com.google.gerrit.client.reviewdb.SystemConfig;
+import com.google.gwtorm.client.OrmException;
+import com.google.gwtorm.client.SchemaFactory;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Set;
+
+/** Cache of group information, including account memberships. */
+public class GroupCache {
+  private final SchemaFactory<ReviewDb> schema;
+  private AccountGroup.Id adminGroupId;
+
+  private final LinkedHashMap<Account.Id, Set<AccountGroup.Id>> byAccount =
+      new LinkedHashMap<Account.Id, Set<AccountGroup.Id>>(16, 0.75f, true) {
+        @Override
+        protected boolean removeEldestEntry(
+            final Map.Entry<Account.Id, Set<AccountGroup.Id>> eldest) {
+          return 4096 <= size();
+        }
+      };
+
+  protected GroupCache(final SchemaFactory<ReviewDb> rdf, final SystemConfig cfg) {
+    schema = rdf;
+    adminGroupId = cfg.adminGroupId;
+  }
+
+  /**
+   * Determine if the user is a member of the blessed administrator group.
+   * 
+   * @param accountId the account to test for membership.
+   * @return true if the account is in the special blessed administration group;
+   *         false otherwise.
+   */
+  public boolean isAdministrator(final Account.Id accountId) {
+    return isInGroup(accountId, adminGroupId);
+  }
+
+  /**
+   * Determine if the user is a member of a specific group.
+   * 
+   * @param accountId the account to test for membership.
+   * @param groupId the group to test for membership within.
+   * @return true if the account is in the group; false otherwise.
+   */
+  public boolean isInGroup(final Account.Id accountId,
+      final AccountGroup.Id groupId) {
+    final Set<AccountGroup.Id> m = getGroups(accountId);
+    return m.contains(groupId);
+  }
+
+  /**
+   * Invalidate all cached information about a single user account.
+   * 
+   * @param accountId the account to invalidate from the cache.
+   */
+  public void invalidate(final Account.Id accountId) {
+    synchronized (byAccount) {
+      byAccount.remove(accountId);
+    }
+  }
+
+  /**
+   * Notify the cache that an account has become a member of a group.
+   * 
+   * @param m the account-group pairing that was just inserted.
+   */
+  public void notifyGroupAdd(final AccountGroupMember m) {
+    synchronized (byAccount) {
+      final Set<AccountGroup.Id> e = byAccount.get(m.getAccountId());
+      if (e != null) {
+        final Set<AccountGroup.Id> n = new HashSet<AccountGroup.Id>(e);
+        n.add(m.getAccountGroupId());
+        byAccount.put(m.getAccountId(), Collections.unmodifiableSet(n));
+      }
+    }
+  }
+
+  /**
+   * Notify the cache that an account has been removed from a group.
+   * 
+   * @param m the account-group pairing that was just deleted.
+   */
+  public void notifyGroupDelete(final AccountGroupMember m) {
+    synchronized (byAccount) {
+      final Set<AccountGroup.Id> e = byAccount.get(m.getAccountId());
+      if (e != null) {
+        final Set<AccountGroup.Id> n = new HashSet<AccountGroup.Id>(e);
+        n.remove(m.getAccountGroupId());
+        byAccount.put(m.getAccountId(), Collections.unmodifiableSet(n));
+      }
+    }
+  }
+
+  /**
+   * Get the groups a specific account is a member of.
+   * 
+   * @param accountId the account to obtain the group list for.
+   * @return unmodifiable set listing the groups the account is a member of.
+   */
+  public Set<AccountGroup.Id> getGroups(final Account.Id accountId) {
+    Set<AccountGroup.Id> m;
+    synchronized (byAccount) {
+      m = byAccount.get(accountId);
+    }
+    if (m != null) {
+      return m;
+    }
+
+    m = new HashSet<AccountGroup.Id>();
+    try {
+      final ReviewDb db = schema.open();
+      try {
+        for (final AccountGroupMember g : db.accountGroupMembers().byAccount(
+            accountId)) {
+          m.add(g.getAccountGroupId());
+        }
+        m = Collections.unmodifiableSet(m);
+      } finally {
+        db.close();
+      }
+    } catch (OrmException e) {
+      m = Collections.emptySet();
+    }
+    synchronized (byAccount) {
+      byAccount.put(accountId, m);
+    }
+    return m;
+  }
+}

appjar/src/main/java/com/google/gerrit/server/ProjectAdminServiceImpl.java

@@ -16,8 +16,8 @@ package com.google.gerrit.server;
 
 import com.google.gerrit.client.admin.ProjectAdminService;
 import com.google.gerrit.client.admin.ProjectDetail;
+import com.google.gerrit.client.reviewdb.Account;
 import com.google.gerrit.client.reviewdb.AccountGroup;
-import com.google.gerrit.client.reviewdb.AccountGroupMember;
 import com.google.gerrit.client.reviewdb.Project;
 import com.google.gerrit.client.reviewdb.ReviewDb;
 import com.google.gerrit.client.rpc.BaseServiceImplementation;
@@ -34,18 +34,18 @@ import java.util.List;
 
 public class ProjectAdminServiceImpl extends BaseServiceImplementation
     implements ProjectAdminService {
-  private final AccountGroup.Id adminId;
+  private final GroupCache groupCache;
 
   public ProjectAdminServiceImpl(final GerritServer server) {
     super(server.getDatabase());
-    adminId = server.getAdminGroupId();
+    groupCache = server.getGroupCache();
   }
 
   public void ownedProjects(final AsyncCallback<List<Project>> callback) {
     run(callback, new Action<List<Project>>() {
       public List<Project> run(ReviewDb db) throws OrmException {
         final List<Project> result;
-        if (amAdmin(db)) {
+        if (groupCache.isAdministrator(RpcUtil.getAccountId())) {
           result = db.projects().all().toList();
         } else {
           result = myOwnedProjects(db);
@@ -116,33 +116,24 @@ public class ProjectAdminServiceImpl extends BaseServiceImplementation
     });
   }
 
-  private static boolean amInGroup(final ReviewDb db,
-      final AccountGroup.Id groupId) throws OrmException {
-    return db.accountGroupMembers().get(
-        new AccountGroupMember.Key(RpcUtil.getAccountId(), groupId)) != null;
-  }
-
-  private boolean amAdmin(final ReviewDb db) throws OrmException {
-    return adminId != null && amInGroup(db, adminId);
-  }
-
   private void assertAmProjectOwner(final ReviewDb db,
       final Project.Id projectId) throws OrmException, Failure {
     final Project project = db.projects().get(projectId);
     if (project == null) {
       throw new Failure(new NoSuchEntityException());
     }
-    if (!amInGroup(db, project.getOwnerGroupId()) && !amAdmin(db)) {
+    final Account.Id me = RpcUtil.getAccountId();
+    if (!groupCache.isInGroup(me, project.getOwnerGroupId())
+        && !groupCache.isAdministrator(me)) {
       throw new Failure(new NoSuchEntityException());
     }
   }
 
-  private static List<Project> myOwnedProjects(final ReviewDb db)
-      throws OrmException {
+  private List<Project> myOwnedProjects(final ReviewDb db) throws OrmException {
+    final Account.Id me = RpcUtil.getAccountId();
     final List<Project> own = new ArrayList<Project>();
-    for (final AccountGroupMember m : db.accountGroupMembers().byAccount(
-        RpcUtil.getAccountId()).toList()) {
-      for (final Project g : db.projects().ownedByGroup(m.getAccountGroupId())) {
+    for (final AccountGroup.Id groupId : groupCache.getGroups(me)) {
+      for (final Project g : db.projects().ownedByGroup(groupId)) {
         own.add(g);
       }
     }