Caches implemented by the Policy Server
Object Store Cache
Purpose: Stores contents of
the Policy Store in memory in order to reduce round trip calls to LDAP and ODBC
policy stores.
Policy Cache
Purpose: Stores the list of policy links applicable
to a given resource and action. Prevents the scanning of all rules within a
given realm in order to determine which policies protect a particular resource.
Agent
Name Cache
Purpose: Stores easy
searchable table of Agent Oids. During IsProtected it is necessary to determine
Agent Oid from Agent Name. The Agent Name Cache prevents enumerating all agents
to find one with matching name.
Agent Group Cache
Purpose: Stores easy
searchable lists of Agent Oids. During IsProtected it is necessary to find all
Agents that might protect this resource, i.e. if given agent belongs to Agent
Group, all agents (and agent groups) of this group might protect given
resource. The Agent Group Cache prevents recursive scanning of all agents to
find applicable ones.
Realm Cache
Purpose: Stores Realms for
best resource matching. During IsProtected it is necessary to find best
matching Realm for given Agents and resource. The Realm Cache prevents scanning
of all Realms to find best lexical match.
Server Command Cache
Purpose: Stores Server
Commands for configurable amount of time (default 10 seconds) before actually
storing them in Policy Store. When changes are made to Policy Store, duplicate
commands may be created. Also, “Flush” commands of broader scope overwrite more
specific Flush commands. For example, if user initiates “Flush All” command,
all other “flush” commands become irrelevant. This is done to decrease overall
number of Server Commands.
User Authorization Cache
Purpose: Stores information
about policies applied to a given user. When a policy is bound to a user
directory object such as a group it is necessary to determine whether a
particular user belongs to the group i.e. it is necessary to search the
directory to get the user’s membership list. The User Authorization Cache
prevents this round trip to the directory. Note that if a policy is bound to a
user name (or DN, OU, and O), the Authorization Cache is ineffective because in
this case there is no need to search the directory in the first place.
Authentication Cache
Purpose: Stores full
response packets for a successful user authentication. Prevents a round trip to
the LDAP or ODBC user store in order to authenticate a particular user. There
are a number of limitations with this cache
Certificate Revocation List (CRL) cache
Purpose: Stores CRLs.
Eliminates search of the CRL Directory during certificate-based authentication.
Type: Unbounded linked list of objects. During
successful lookup the “NextUpdate” field of the CRL is checked. If the current
time is bigger then the value of that field, the entry is removed.
No comments:
Post a Comment