13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.5.0, 14.5.1, 5.5.1
The AM policy evaluation system uses the IndexRuleTree cache to cache policy rules per realm. This is backed by a persistent search and so any changes or modification to the policy rules get changes to update or invalidate this cache so that policy evaluation is correct.
The issues is that when say the connection is external configuration restarted, the persistent connection used to manage this policy cache is no longer reestablished and it would seems any changes to the realm policy rules will not update the cached entries.
The outcome of these are AM will always use the old copies (before the disconnection of the connection). Unfortunately there is no feedback or telltale side of this so as to why then when one tries to do webagent or policy evaluation
will always be empty even if one though the rules exist
Details steps outlining how to recreate the issue (remove this text)
- Setup an external Config store OPENAM
- You can create some policy rules (and access them using the REST policy evaluation) or a web agent. Let say grant GET access for http://*:*/test/*
- Make sure everything works. Ensure to access the realm to have the problem cache the realm policy. (* important step)
- Now restart the OpenDJ external config store
- Access the agent or policy evaluation to see if this works.
- Create a bew rule http://*:*/test2/* on UI. Wait 3 mins (if webagent to let agent policy cache expires)
- Access and check if this URL with /test2 is accessible. The result is the policy change is not affected. (See the Policy logs for event changes)
After any policy rules change, recycle every AM instances (if one is not sure the persistent search for policy still works)