[OPENAM-12419] Policy rules not updated when external configuration store connection restarted Created: 09/Feb/18  Updated: 22/Feb/19  Resolved: 17/May/18

Status: Resolved
Project: OpenAM
Component/s: authentication, policy, sms
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.5.0, 14.5.1, 5.5.1
Fix Version/s: 13.5.3,, 14.1.2, 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51
Story Points: 5
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

The AM policy evaluation system uses the IndexRuleTree cache to cache policy rules per realm. This is backed by a persistent search and so any changes or modification to the policy rules get changes to update or invalidate this cache so that policy evaluation is correct.

The issues is that when say the connection is external configuration restarted, the persistent connection used to manage this policy cache is no longer reestablished and it would seems any changes to the realm policy rules will not update the cached entries.

The outcome of these are AM will always use the old copies (before the disconnection of the connection). Unfortunately there is no feedback or telltale side of this so as to why then when one tries to do webagent or policy evaluation

Matched index rules (resource:https://test.com:443/test/, realm:/test): []

will always be empty even if one though the rules exist

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Setup an external Config store OPENAM
  2. You can create some policy rules (and access them using the REST policy evaluation) or a web agent. Let say grant GET access for http://*:*/test/*
  3. Make sure everything works. Ensure to access the realm to have the problem cache the realm policy. (* important step)
  4. Now restart the OpenDJ external config store
  5. Access the agent or policy evaluation to see if this works.
  6. Create a bew rule http://*:*/test2/* on UI. Wait 3 mins (if webagent to let agent policy cache expires)
  7. Access and check if this URL with /test2 is accessible. The result is the policy change is not affected. (See the Policy logs for event changes)
Expected behaviour
The changed policy gets reflected and used
Current behaviour
A old stale policy rules are used after some external configuration directory restart

Work around

After any policy rules change, recycle every AM instances (if one is not sure the persistent search for policy still works)

Code analysis

The code does not handle reconnection

This is another case like OPENAM-10800 and OPENAM-10852 but applies
to the Policy.

Comment by Lawrence Yarham [ 12/Apr/18 ]

Many thanks C-Weng C for adding further information here.  I'm able to reproduce on 13.5.0 as you described above.


Comment by Lawrence Yarham [ 17/May/18 ]

Fixed in latest master and backported to 6.0.x, 5.5.x, 14.1.x and 13.5.x.  

Comment by Ľubomír Mlích [ 15/Jun/18 ]

Reproduced in OpenAM 13.5.0 Build 550cfe7d60 (2016-July-13 08:43)
Verified fix in ForgeRock Access Management Build 3a1761ce2e (2018-June-12 22:40)

Generated at Wed Sep 30 02:16:12 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.