Logic of a provisioning brake
All provisioning break logic is in the processor ProvisioningBreakProcessor, this processor controls if the system isn't blocked, etc. (see below). This processor can't be disabled!
Processor steps
- check if the system isn't blocked. If the system is already blocked, skip provisioning - operation will be added to queue with BLOCKED status,
- get specific provisioning break configuration for the system,
- if the specific configuration doesn't exists, get the global configuration,
- if any configuration isn't found, continue with provisioning operation as usually,
- if the configuration exists, check that the configuration isn't inactive,
- after checking the Inactive attribute, initialize the actual counter and remove older records from the cache,
- check if the actual counter equals the warning limit. If it does, send the notification,
- check if the disable limit is exceeded. If it is exceeded, block the system and send the notification,
- finally, add a new item to the cache and continue.
After exceeeding the disable limit, the actual operation is put into provisioning queue with the BLOCKED status. Next operations for the system will be directly added into queue with the BLOCKED status.
Cache and operation counter
The operation counter is obtained from a special cache used only for provisioning operations, this cache isn't used for any other logic. This cache is in memory, so after restarting CzechIdM backend, the cache is cleared.
Older records are removed before checking the actual count and limits. New timestamp is added to this cache after every successful provisioning operation. The cache is divided for every system and their provisioning operations.
System blocked operations
When the disable limit of the provisioning break configuration is exceeded, the system is marked by one of these boolean flags: createOperation, updateOperation, deleteOperation as true. When the boolean flag is checked, the corresponding operation (create, update or delete) is blocked. These attributes for system are added by the class SysBlockedOperation
, this class is embeddable part of system.