Policy Expired Hook, empty policy time gap

[WindzCUHK]

athenz-authorizer/policy/daemon.go

Lines 173 to 176 in b56348e

	SetExpiredHook(func(ctx context.Context, key string) {
	//key = <domain>:role.<role>
	p.fetchAndCachePolicy(ctx, p.rolePolicies, strings.Split(key, ":role.")[0])
	})

issue

1. ExpiredHook is called after the policy is deleted from the cache, checking policy before fetch success will be same as checking empty policy.
2. There is no retry or error handling inside the hook.
3. If we need to rely on the periodical Update() call to keep the policy valid anyway, we don't need this logic here.

[WindzCUHK]

currently, the policy will keep on updating, the expire hook will not run at all.

[kevindiu]

policy cache should not depends about the expired hook, it should depends on the refresh mechanism.
expired hook is just for safety.

[WindzCUHK]

we should not assume policy will not expire...
no solutions yet, just keep this open

[kevindiu]

I did not assume policy will not expire.... policy expiration is depends on Athenz server, we need to set it correctly anyway. I think user need to pay attention on policy refresh duration otherwise the policy cache maybe insecure enough for their use.

[WindzCUHK]

We even the expire hook runs, this will be a problem.
The user can only set the refresh duration, so that the expire hook never runs. But that also depends on Athenz server connectivity.

[kevindiu]

So it will keep retrying to refresh policy anyway.
Actually I want to get rid of expire hook and it makes no sense for me.

[WindzCUHK]

continue in: AthenZ/athenz-authorizer#3