Ouch. So do you reckon there is possible method to determine whether a
cache entry is affected by a specific rule?
Could we say that my method works as long as priority doesn't change? Or
are there other concerns apart from priority?
And in case the priority changes, could we perhaps repeat the process by
any rules affected by the priority change? For example
we change a priority from x to y, we repeat the process for all rules
from position x to y.
Regards
Niels
On 06-06-17 14:01, Emanuele Tajariol wrote:
Hi Niels,
Would a RuleFilter.match(Rule) not be able to track this down? The cache
is indexed on rule filters... All rule filters that match the given rule
must then be invalidated...
Still not sure about this :)
Let's say we change the priority of a Rule; the outcome of an authorization
request will change not only according to the Rule we updated, but also
according to the new Rules that will be selected according to the new
prioritization.
Cheers,
Emanuele
Alle 12:42:20 di Tuesday 6 June 2017, Niels Charlier ha scritto:
Hello Emanuele,
Thanks for your email.
You say "a change in a single Rule may reflect in changes in many items
in the cache, that are quite difficult to track down."
Would a RuleFilter.match(Rule) not be able to track this down? The cache
is indexed on rule filters... All rule filters that match the given rule
must then be invalidated...
Regards
Niels
On 06-06-17 12:37, Emanuele Tajariol wrote:
Hi Niels,
the access info that GeoServer receives from GeoFence may come from more
than one Rule.
The Rule engine looks for all matching rules: constraints contained in
Rules of LIMIT type will be merged so to restrict the constraints found
in the ALLOW rule.
Furthermore, if a user belongs to more than one role, the constraints
will be merged so that the user will be granted all the privileges he
should have according to each role.
All this means that a change in a single Rule may reflect in changes in
many items in the cache, that are quite difficult to track down.
Also, note that the cache is used in both the embedded and the standalone
geofence setup; any changes at that level should take care of not
breaking any of the two setup.
Another point to consider is about making sure this change will also work
in a clustered environment.
Cheers,
Emanuele
Alle 13:46:54 di Friday 2 June 2017, Niels Charlier ha scritto:
Hello Nuno,
Another change I have been asked to make in geofence, is that rules in
the cache would automatically invalidated when they are changed. I have
looked at the code, and I have an idea how to do it, and was wondering
if you agree with the approach:
1. write a RuleFilter.matches(Rule rule) method (I think currently rule
filters are only used to translate into queries, and there is no way to
match a filter with a single rule)
2. write a CachedRuleReader.invalidate(Rule rule) which loops through
the whole cache, and invalidates all rule filters that match the rule.
3. write a CachedRuleAdminServiceImpl, that delegates to the normal
RuleAdminServiceImpl but calls the above invalidate upon change of an
existing rule.
Kind Regards
Niels
------------------------------------------------------------------------
--- --- Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
