Configuration
Up to version 7.3 patch 2022-11
The default cache configuration is specified in the pdp-ehcache.xml file. This configuration can be overwritten by specifying a different cache configuration file. The default cache configuration in pdp-ehcache.xml is as follows. This describes a cache where policies are not persisted to disk, or overflow to disk, and where policies do not expire in the cache. This configuration is used for both role and permission policies:
<defaultCache
maxEntriesLocalHeap="10000"
eternal="false"
timeToIdleSeconds="0"
timeToLiveSeconds="0"
overflowToDisk="false"
maxElementsOnDisk="20000"
diskPersistent="false"
diskExpiryThreadIntervalSeconds="120"
memoryStoreEvictionPolicy="LRU"
/>
In addition to the ability to configure how policies are cached via a caching configuration file, it is possible to select a common caching strategy in the PDP configuration file. Three options are supported:
- InMemory: XACML policies are kept in memory and not written to disk
- OverflowToDisk: XACML policies are kept in memory, but will overflow to disk if the cache is full
- PersistToDisk: XACML policies are persisted to disk
The PDP can be deployed and started in the ESB container via tesb:start-authz-pdp.
The PDP can be configured in container/etc/org.talend.esb.authorization.pdp.cfg:
Properties | Description |
---|---|
registryAtomUrl | The URL of the XACML Policy Registry to retrieve policies from. The default is https://localhost:9001/services/XacmlRegistryAtom. |
policyCachingStrategy | The PolicyCachingStrategy of the PDP. The default is InMemory. |
cacheConfiguration | The cache configuration file. The default is pdp-ehcache.xml. |
loadPermissionPoliciesOnInit | Whether to load permission policies on startup or not. The default is false, meaning that they are retrieved (and subsequently cached) when required. |
policyReloadInterval | How often to reload policies (in minutes). The default is 10. If set to 0, policies are initially retrieved, and are not reloaded. |
usePIP | Whether to use a PIP or not to retrieve attributes that are missing in the request. The default is false. |
From version 7.3 patch 2023-01
- InMemory: XACML policies are kept in memory
- PersistToDisk: XACML policies are persisted to disk in a temporary file
The PDP and cache can be configured in container/etc/org.talend.esb.authorization.pdp.cfg:
Properties | Description |
---|---|
registryAtomUrl | The URL of the XACML Policy Registry to retrieve policies from. The default is https://localhost:9001/services/XacmlRegistryAtom. |
policyCachingStrategy | The PolicyCachingStrategy of the PDP . The default is InMemory. |
timeToLiveSeconds | The expire time in seconds of objects in the cache before being refetched. |
entriesNumber | The maximum number of entries in the cache. |
diskSizeMb | When policyCachingStrategy=PersistToDisk, maximum size of cache in Mb. |
loadPermissionPoliciesOnInit | Whether to load permission policies on startup or not. The default is false, meaning that they are retrieved (and subsequently cached) when required. |
policyReloadInterval | How often to reload policies (in minutes). The default is 10. If set to 0, policies are initially retrieved, and are not reloaded. |
usePIP | Whether to use a PIP or not to retrieve attributes that are missing in the request. The default is false. |