diff options
-rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-ipa.5.xml | 15 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.c | 16 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 1 |
7 files changed, 38 insertions, 1 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 5114a178..21a4d16c 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -97,6 +97,7 @@ option_strings = { 'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"), 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), + 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 75222250..b1ca5027 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -102,6 +102,7 @@ krb5_renew_interval = int, None, false krb5_use_fast = str, None, false [provider/ipa/access] +ipa_hbac_refresh = int, None, false [provider/ipa/chpass] diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 4604c55e..f728e9cc 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -175,6 +175,21 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>ipa_hbac_refresh (integer)</term> + <listitem> + <para> + The amount of time between lookups of the HBAC + rules against the IPA server. This will reduce the + latency and load on the IPA server if there are + many access-control requests made in a short + period. + </para> + <para> + Default: 5 (seconds) + </para> + </listitem> + </varlistentry> </variablelist> </para> diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 18cf3104..2a6588eb 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -114,6 +114,7 @@ void ipa_access_handler(struct be_req *be_req) ipa_access_ctx = talloc_get_type( be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + hbac_ctx->access_ctx = ipa_access_ctx; hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; @@ -145,10 +146,22 @@ static int hbac_retry(struct hbac_ctx *hbac_ctx) struct tevent_req *subreq; int ret; bool offline; + time_t now, refresh_interval; + struct ipa_access_ctx *access_ctx = hbac_ctx->access_ctx; offline = be_is_offline(hbac_ctx->be_req->be_ctx); DEBUG(9, ("Connection status is [%s].\n", offline ? "offline" : "online")); + refresh_interval = dp_opt_get_int(hbac_ctx->ipa_options, + IPA_HBAC_REFRESH); + + now = time(NULL); + if (now < access_ctx->last_update + refresh_interval) { + /* Simulate offline mode and just go to the cache */ + DEBUG(6, ("Performing cached HBAC evaluation\n")); + offline = true; + } + if (!offline) { if (hbac_ctx->sdap_op == NULL) { hbac_ctx->sdap_op = sdap_id_op_create(hbac_ctx, @@ -505,6 +518,9 @@ static void hbac_sysdb_save(struct tevent_req *req) */ hbac_clear_rule_data(hbac_ctx); + + access_ctx->last_update = time(NULL); + /* Now evaluate the request against the rules */ ipa_hbac_evaluate_rules(hbac_ctx); diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h index da43fea2..2a6bdad5 100644 --- a/src/providers/ipa/ipa_access.h +++ b/src/providers/ipa/ipa_access.h @@ -43,10 +43,12 @@ struct ipa_access_ctx { struct sdap_id_ctx *sdap_ctx; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; + time_t last_update; }; struct hbac_ctx { struct sdap_id_ctx *sdap_ctx; + struct ipa_access_ctx *access_ctx; struct sdap_id_op *sdap_op; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 9972c341..0995e0f1 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -37,7 +37,8 @@ struct dp_option ipa_basic_opts[] = { { "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, - { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING} + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER } }; struct dp_option ipa_def_ldap_opts[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 8f0f35a8..1c1f7221 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -50,6 +50,7 @@ enum ipa_basic_opt { IPA_DYNDNS_IFACE, IPA_HBAC_SEARCH_BASE, IPA_KRB5_REALM, + IPA_HBAC_REFRESH, IPA_OPTS_BASIC /* opts counter */ }; |