search

yahoojapan / athenz-authorizer

athenz policy management library for golang. Moved to https://github.com/AthenZ/athenz-authorizer
https://github.com/AthenZ/athenz-authorizer
Apache License 2.0
15 stars 9 forks source link

Policy cache will never expire after the init() success #51

Closed kevindiu closed 1 year ago

kevindiu commented 5 years ago

The policy will always keep in the cache even it is expired.

https://github.com/yahoojapan/athenz-authorizer/blob/d1efce031f2e33c8f135e563d765fd28595682d1/policy/fetcher.go#L171 https://github.com/yahoojapan/athenz-authorizer/blob/master/policy/daemon.go#L343

Gache expires <= 0 means never expire... https://github.com/kpango/gache/blob/master/gache.go#L125

WindzCUHK commented 5 years ago

Problem

when authorizer cannot get latest policy from ZTS before cached policy expire (304 or other error code), the expired policy will still be used.

some suggestions

  1. for availability, not fix
  2. for security, discard expired policy (i.e. authorize with empty policy)
  3. add config/option, for user to choose the behavior
WindzCUHK commented 1 year ago

continue in: https://github.com/AthenZ/athenz-authorizer/issues/4