Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12419

Policy rules not updated when external configuration store connection restarted

    Details

    • Sprint:
      AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51
    • Story Points:
      5
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The AM policy evaluation system uses the IndexRuleTree cache to cache policy rules per realm. This is backed by a persistent search and so any changes or modification to the policy rules get changes to update or invalidate this cache so that policy evaluation is correct.

      The issues is that when say the connection is external configuration restarted, the persistent connection used to manage this policy cache is no longer reestablished and it would seems any changes to the realm policy rules will not update the cached entries.

      The outcome of these are AM will always use the old copies (before the disconnection of the connection). Unfortunately there is no feedback or telltale side of this so as to why then when one tries to do webagent or policy evaluation

      Matched index rules (resource:https://test.com:443/test/, realm:/test): []
      

      will always be empty even if one though the rules exist

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Setup an external Config store OPENAM
      2. You can create some policy rules (and access them using the REST policy evaluation) or a web agent. Let say grant GET access for http://*:*/test/*
      3. Make sure everything works. Ensure to access the realm to have the problem cache the realm policy. (* important step)
      4. Now restart the OpenDJ external config store
      5. Access the agent or policy evaluation to see if this works.
      6. Create a bew rule http://*:*/test2/* on UI. Wait 3 mins (if webagent to let agent policy cache expires)
      7. Access and check if this URL with /test2 is accessible. The result is the policy change is not affected. (See the Policy logs for event changes)
      Expected behaviour
      The changed policy gets reflected and used
      
      Current behaviour
      A old stale policy rules are used after some external configuration directory restart
      

      Work around

      After any policy rules change, recycle every AM instances (if one is not sure the persistent search for policy still works)

      Code analysis

      IndexChangeManagerImpl.java
      The code does not handle reconnection
      

      This is another case like OPENAM-10800 and OPENAM-10852 but applies
      to the Policy.

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: