summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-06-06 15:05:16 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-07-08 15:12:24 -0400
commit1360b4f4d6e948023daeda8787f575e7f8117444 (patch)
tree98186bb69450a40d123dea13ee57922b9bb8fd06 /src/providers
parent32a5516cc2822cf6ad9950278e3c9701a9389bb4 (diff)
downloadsssd-1360b4f4d6e948023daeda8787f575e7f8117444.tar.gz
sssd-1360b4f4d6e948023daeda8787f575e7f8117444.tar.xz
sssd-1360b4f4d6e948023daeda8787f575e7f8117444.zip
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules on the IPA server.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ipa/ipa_access.c16
-rw-r--r--src/providers/ipa/ipa_access.h2
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h1
4 files changed, 21 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 18cf31043..2a6588ebf 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -114,6 +114,7 @@ void ipa_access_handler(struct be_req *be_req)
ipa_access_ctx = talloc_get_type(
be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
struct ipa_access_ctx);
+ hbac_ctx->access_ctx = ipa_access_ctx;
hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
@@ -145,10 +146,22 @@ static int hbac_retry(struct hbac_ctx *hbac_ctx)
struct tevent_req *subreq;
int ret;
bool offline;
+ time_t now, refresh_interval;
+ struct ipa_access_ctx *access_ctx = hbac_ctx->access_ctx;
offline = be_is_offline(hbac_ctx->be_req->be_ctx);
DEBUG(9, ("Connection status is [%s].\n", offline ? "offline" : "online"));
+ refresh_interval = dp_opt_get_int(hbac_ctx->ipa_options,
+ IPA_HBAC_REFRESH);
+
+ now = time(NULL);
+ if (now < access_ctx->last_update + refresh_interval) {
+ /* Simulate offline mode and just go to the cache */
+ DEBUG(6, ("Performing cached HBAC evaluation\n"));
+ offline = true;
+ }
+
if (!offline) {
if (hbac_ctx->sdap_op == NULL) {
hbac_ctx->sdap_op = sdap_id_op_create(hbac_ctx,
@@ -505,6 +518,9 @@ static void hbac_sysdb_save(struct tevent_req *req)
*/
hbac_clear_rule_data(hbac_ctx);
+
+ access_ctx->last_update = time(NULL);
+
/* Now evaluate the request against the rules */
ipa_hbac_evaluate_rules(hbac_ctx);
diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
index da43fea2b..2a6bdad50 100644
--- a/src/providers/ipa/ipa_access.h
+++ b/src/providers/ipa/ipa_access.h
@@ -43,10 +43,12 @@ struct ipa_access_ctx {
struct sdap_id_ctx *sdap_ctx;
struct dp_option *ipa_options;
struct time_rules_ctx *tr_ctx;
+ time_t last_update;
};
struct hbac_ctx {
struct sdap_id_ctx *sdap_ctx;
+ struct ipa_access_ctx *access_ctx;
struct sdap_id_op *sdap_op;
struct dp_option *ipa_options;
struct time_rules_ctx *tr_ctx;
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 9972c3411..0995e0f1a 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -37,7 +37,8 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING},
- { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}
+ { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
+ { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }
};
struct dp_option ipa_def_ldap_opts[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 8f0f35a82..1c1f72215 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -50,6 +50,7 @@ enum ipa_basic_opt {
IPA_DYNDNS_IFACE,
IPA_HBAC_SEARCH_BASE,
IPA_KRB5_REALM,
+ IPA_HBAC_REFRESH,
IPA_OPTS_BASIC /* opts counter */
};