From fba08ceb9fb8a71f0a86dfcf8902b09a84a70211 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 6 Jun 2011 15:05:16 -0400 Subject: Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. --- src/config/SSSDConfig.py | 1 + src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/man/sssd-ipa.5.xml | 15 +++++++++++++++ src/providers/ipa/ipa_access.c | 16 ++++++++++++++++ src/providers/ipa/ipa_access.h | 2 ++ src/providers/ipa/ipa_common.c | 3 ++- src/providers/ipa/ipa_common.h | 1 + 7 files changed, 38 insertions(+), 1 deletion(-) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index fed19f079..035c95c40 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -97,6 +97,7 @@ option_strings = { 'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"), 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), + 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 31b7dc9be..c1adc878e 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -100,6 +100,7 @@ krb5_renew_interval = int, None, false krb5_use_fast = str, None, false [provider/ipa/access] +ipa_hbac_refresh = int, None, false [provider/ipa/chpass] diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 4604c55e2..f728e9ccf 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -175,6 +175,21 @@ + + ipa_hbac_refresh (integer) + + + The amount of time between lookups of the HBAC + rules against the IPA server. This will reduce the + latency and load on the IPA server if there are + many access-control requests made in a short + period. + + + Default: 5 (seconds) + + + diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 18cf31043..2a6588ebf 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -114,6 +114,7 @@ void ipa_access_handler(struct be_req *be_req) ipa_access_ctx = talloc_get_type( be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + hbac_ctx->access_ctx = ipa_access_ctx; hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; @@ -145,10 +146,22 @@ static int hbac_retry(struct hbac_ctx *hbac_ctx) struct tevent_req *subreq; int ret; bool offline; + time_t now, refresh_interval; + struct ipa_access_ctx *access_ctx = hbac_ctx->access_ctx; offline = be_is_offline(hbac_ctx->be_req->be_ctx); DEBUG(9, ("Connection status is [%s].\n", offline ? "offline" : "online")); + refresh_interval = dp_opt_get_int(hbac_ctx->ipa_options, + IPA_HBAC_REFRESH); + + now = time(NULL); + if (now < access_ctx->last_update + refresh_interval) { + /* Simulate offline mode and just go to the cache */ + DEBUG(6, ("Performing cached HBAC evaluation\n")); + offline = true; + } + if (!offline) { if (hbac_ctx->sdap_op == NULL) { hbac_ctx->sdap_op = sdap_id_op_create(hbac_ctx, @@ -505,6 +518,9 @@ static void hbac_sysdb_save(struct tevent_req *req) */ hbac_clear_rule_data(hbac_ctx); + + access_ctx->last_update = time(NULL); + /* Now evaluate the request against the rules */ ipa_hbac_evaluate_rules(hbac_ctx); diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h index da43fea2b..2a6bdad50 100644 --- a/src/providers/ipa/ipa_access.h +++ b/src/providers/ipa/ipa_access.h @@ -43,10 +43,12 @@ struct ipa_access_ctx { struct sdap_id_ctx *sdap_ctx; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; + time_t last_update; }; struct hbac_ctx { struct sdap_id_ctx *sdap_ctx; + struct ipa_access_ctx *access_ctx; struct sdap_id_op *sdap_op; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 3db40af40..163aaf205 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -36,7 +36,8 @@ struct dp_option ipa_basic_opts[] = { { "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, - { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING} + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER } }; struct dp_option ipa_def_ldap_opts[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 922806234..26e13456d 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -50,6 +50,7 @@ enum ipa_basic_opt { IPA_DYNDNS_IFACE, IPA_HBAC_SEARCH_BASE, IPA_KRB5_REALM, + IPA_HBAC_REFRESH, IPA_OPTS_BASIC /* opts counter */ }; -- cgit