Merge pull request #9626 from id/fix-enable-authz-cache-by-default

fix: enable authorization cache by default

apps/emqx/src/emqx_hocon.erl

@@ -21,7 +21,8 @@
     format_path/1,
     check/2,
     format_error/1,
-    format_error/2
+    format_error/2,
+    make_schema/1
 ]).
 
 %% @doc Format hocon config field path to dot-separated string in iolist format.
@@ -79,6 +80,9 @@ format_error({_Schema, [#{kind := K} = First | Rest] = All}, Opts) when
 format_error(_Other, _) ->
     false.
 
+make_schema(Fields) ->
+    #{roots => Fields, fields => #{}}.
+
 %% Ensure iolist()
 iol(B) when is_binary(B) -> B;
 iol(A) when is_atom(A) -> atom_to_binary(A, utf8);

apps/emqx/src/emqx_schema.erl

@@ -114,6 +114,7 @@
 -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
 -export([conf_get/2, conf_get/3, keys/2, filter/1]).
 -export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
+-export([authz_fields/0]).
 -export([sc/2, map/2]).
 
 -elvis([{elvis_style, god_modules, disable}]).
@@ -326,31 +327,7 @@ fields("stats") ->
             )}
     ];
 fields("authorization") ->
-    [
-        {"no_match",
-            sc(
-                hoconsc:enum([allow, deny]),
-                #{
-                    default => allow,
-                    required => true,
-                    desc => ?DESC(fields_authorization_no_match)
-                }
-            )},
-        {"deny_action",
-            sc(
-                hoconsc:enum([ignore, disconnect]),
-                #{
-                    default => ignore,
-                    required => true,
-                    desc => ?DESC(fields_authorization_deny_action)
-                }
-            )},
-        {"cache",
-            sc(
-                ref(?MODULE, "cache"),
-                #{}
-            )}
-    ];
+    authz_fields();
 fields("cache") ->
     [
         {"enable",
@@ -2091,6 +2068,33 @@ do_default_ciphers(_) ->
     %% otherwise resolve default ciphers list at runtime
     [].
 
+authz_fields() ->
+    [
+        {"no_match",
+            sc(
+                hoconsc:enum([allow, deny]),
+                #{
+                    default => allow,
+                    required => true,
+                    desc => ?DESC(fields_authorization_no_match)
+                }
+            )},
+        {"deny_action",
+            sc(
+                hoconsc:enum([ignore, disconnect]),
+                #{
+                    default => ignore,
+                    required => true,
+                    desc => ?DESC(fields_authorization_deny_action)
+                }
+            )},
+        {"cache",
+            sc(
+                ref(?MODULE, "cache"),
+                #{}
+            )}
+    ].
+
 %% @private return a list of keys in a parent field
 -spec keys(string(), hocon:config()) -> [string()].
 keys(Parent, Conf) ->

apps/emqx_authz/etc/emqx_authz.conf

@@ -1,6 +1,7 @@
 authorization {
   deny_action = ignore
   no_match = allow
+  cache = { enable = true }
   sources =  [
     {
       type = file

apps/emqx_authz/src/emqx_authz_api_settings.erl

@@ -64,7 +64,7 @@ schema("/authorization/settings") ->
     }.
 
 ref_authz_schema() ->
-    proplists:delete(sources, emqx_conf_schema:fields("authorization")).
+    emqx_schema:authz_fields().
 
 settings(get, _Params) ->
     {200, authorization_settings()};
@@ -83,4 +83,6 @@ settings(put, #{
     {200, authorization_settings()}.
 
 authorization_settings() ->
-    maps:remove(<<"sources">>, emqx:get_raw_config([authorization], #{})).
+    C = maps:remove(<<"sources">>, emqx:get_raw_config([authorization], #{})),
+    Schema = emqx_hocon:make_schema(emqx_schema:authz_fields()),
+    hocon_tconf:make_serializable(Schema, C, #{}).

apps/emqx_authz/src/emqx_authz_api_sources.erl

@@ -449,7 +449,7 @@ is_ok(ResL) ->
 
 get_raw_sources() ->
     RawSources = emqx:get_raw_config([authorization, sources], []),
-    Schema = #{roots => emqx_authz_schema:fields("authorization"), fields => #{}},
+    Schema = emqx_hocon:make_schema(emqx_authz_schema:authz_fields()),
     Conf = #{<<"sources">> => RawSources},
     #{<<"sources">> := Sources} = hocon_tconf:make_serializable(Schema, Conf, #{}),
     merge_default_headers(Sources).

apps/emqx_authz/src/emqx_authz_schema.erl

@@ -36,7 +36,8 @@
     tags/0,
     fields/1,
     validations/0,
-    desc/1
+    desc/1,
+    authz_fields/0
 ]).
 
 -export([
@@ -74,23 +75,7 @@ tags() ->
 roots() -> [].
 
 fields("authorization") ->
-    Types = [?R_REF(Type) || Type <- type_names()],
-    UnionMemberSelector =
-        fun
-            (all_union_members) -> Types;
-            %% must return list
-            ({value, Value}) -> [select_union_member(Value)]
-        end,
-    [
-        {sources,
-            ?HOCON(
-                ?ARRAY(?UNION(UnionMemberSelector)),
-                #{
-                    default => [],
-                    desc => ?DESC(sources)
-                }
-            )}
-    ];
+    authz_fields();
 fields(file) ->
     authz_common_fields(file) ++
         [{path, ?HOCON(string(), #{required => true, desc => ?DESC(path)})}];
@@ -492,3 +477,22 @@ select_union_member_loop(TypeValue, [Type | Types]) ->
         false ->
             select_union_member_loop(TypeValue, Types)
     end.
+
+authz_fields() ->
+    Types = [?R_REF(Type) || Type <- type_names()],
+    UnionMemberSelector =
+        fun
+            (all_union_members) -> Types;
+            %% must return list
+            ({value, Value}) -> [select_union_member(Value)]
+        end,
+    [
+        {sources,
+            ?HOCON(
+                ?ARRAY(?UNION(UnionMemberSelector)),
+                #{
+                    default => [],
+                    desc => ?DESC(sources)
+                }
+            )}
+    ].

apps/emqx_conf/src/emqx_conf_schema.erl

@@ -947,8 +947,8 @@ fields("log_burst_limit") ->
             )}
     ];
 fields("authorization") ->
-    emqx_schema:fields("authorization") ++
-        emqx_authz_schema:fields("authorization").
+    emqx_schema:authz_fields() ++
+        emqx_authz_schema:authz_fields().
 
 desc("cluster") ->
     ?DESC("desc_cluster");

changes/v5.0.15/fix-9626.en.md

@@ -0,0 +1,2 @@
+Return authorization settings with default values.
+The authorization cache is enabled by default, but due to the missing default value in `GET` response of `/authorization/settings`, it seemed to be disabled from the dashboard.

changes/v5.0.15/fix-9626.zh.md

@@ -0,0 +1,3 @@
+为授权设置 API 返回默认值。
+授权缓存默认为开启，但是在此修复前，因为默认值在 `/authorization/settings` 这个 API 的返回值中缺失，
+使得在仪表盘配置页面中看起来是关闭了。