diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-06-06 15:05:16 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-08 15:12:24 -0400 |
commit | 1360b4f4d6e948023daeda8787f575e7f8117444 (patch) | |
tree | 98186bb69450a40d123dea13ee57922b9bb8fd06 /src/providers | |
parent | 32a5516cc2822cf6ad9950278e3c9701a9389bb4 (diff) | |
download | sssd-1360b4f4d6e948023daeda8787f575e7f8117444.tar.gz sssd-1360b4f4d6e948023daeda8787f575e7f8117444.tar.bz2 sssd-1360b4f4d6e948023daeda8787f575e7f8117444.zip |
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ipa/ipa_access.c | 16 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 1 |
4 files changed, 21 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 18cf3104..2a6588eb 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -114,6 +114,7 @@ void ipa_access_handler(struct be_req *be_req) ipa_access_ctx = talloc_get_type( be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + hbac_ctx->access_ctx = ipa_access_ctx; hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; @@ -145,10 +146,22 @@ static int hbac_retry(struct hbac_ctx *hbac_ctx) struct tevent_req *subreq; int ret; bool offline; + time_t now, refresh_interval; + struct ipa_access_ctx *access_ctx = hbac_ctx->access_ctx; offline = be_is_offline(hbac_ctx->be_req->be_ctx); DEBUG(9, ("Connection status is [%s].\n", offline ? "offline" : "online")); + refresh_interval = dp_opt_get_int(hbac_ctx->ipa_options, + IPA_HBAC_REFRESH); + + now = time(NULL); + if (now < access_ctx->last_update + refresh_interval) { + /* Simulate offline mode and just go to the cache */ + DEBUG(6, ("Performing cached HBAC evaluation\n")); + offline = true; + } + if (!offline) { if (hbac_ctx->sdap_op == NULL) { hbac_ctx->sdap_op = sdap_id_op_create(hbac_ctx, @@ -505,6 +518,9 @@ static void hbac_sysdb_save(struct tevent_req *req) */ hbac_clear_rule_data(hbac_ctx); + + access_ctx->last_update = time(NULL); + /* Now evaluate the request against the rules */ ipa_hbac_evaluate_rules(hbac_ctx); diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h index da43fea2..2a6bdad5 100644 --- a/src/providers/ipa/ipa_access.h +++ b/src/providers/ipa/ipa_access.h @@ -43,10 +43,12 @@ struct ipa_access_ctx { struct sdap_id_ctx *sdap_ctx; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; + time_t last_update; }; struct hbac_ctx { struct sdap_id_ctx *sdap_ctx; + struct ipa_access_ctx *access_ctx; struct sdap_id_op *sdap_op; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 9972c341..0995e0f1 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -37,7 +37,8 @@ struct dp_option ipa_basic_opts[] = { { "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, - { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING} + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER } }; struct dp_option ipa_def_ldap_opts[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 8f0f35a8..1c1f7221 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -50,6 +50,7 @@ enum ipa_basic_opt { IPA_DYNDNS_IFACE, IPA_HBAC_SEARCH_BASE, IPA_KRB5_REALM, + IPA_HBAC_REFRESH, IPA_OPTS_BASIC /* opts counter */ }; |