Hi,
As we work on the Sudo integration with Pavel, I'm thinking about how
should we handle our cache.
On one hand, I think our cache should be complete and possibly up to date
to allow seamless offline operation. In the first prototype we have now,
we just download the whole tree during every request. That's not going
to scale, obviously. There can be many rules and downloading them all can
get expensive.
I think we can use the following mechanism:
1) the backend would schedule a periodic task to download all rules,
much like the current enumeration task. There may be an option to
fine tune how often should the task start.
2) when a request comes, we would update the cache that affects the
user only(*). We keep an in-memory timeout per user so that subsequent
requests from the same user are handled fast.
Does that sound OK?
* even native sudo only searches for
"(|(sudoUser=ALL)(sudoUser=username)(sudoUser=%group1)(sudoUser=%group2))"
so we can limit the online update the same way