KIKIMR-19720: Add separate expire time variable for Access Service Signature tickets

author: molotkov-and <[email protected]> 2023-10-17 19:34:32 +0300
committer: molotkov-and <[email protected]> 2023-10-17 20:39:36 +0300
commit: 0e045668d7d08525a7b5e26c0fd3b3b01c279b00 (patch)
tree: 27b84cecc74dbc258f91f1f39aa14230865dd8b1
parent: 68aad25a66091da7133f67052c5757e132418923 (diff)
2 files changed, 27 insertions, 14 deletions
diff --git a/ydb/core/protos/auth.proto b/ydb/core/protos/auth.proto
index ce5e1629529..89bb2df9387 100644
--- a/ydb/core/protos/auth.proto
+++ b/ydb/core/protos/auth.proto
@@ -47,6 +47,7 @@ message TAuthConfig {
     optional TLdapAuthentication LdapAuthentication = 74;
     optional string LdapAuthenticationDomain = 75 [default = "ldap"];
     optional bool UseAccessServiceApiKey = 76 [default = false]; // Use IAM ApiKey
+    optional string AsSignatureExpireTime = 77 [default = "1m"];
 }
 
 message TUserRegistryConfig {
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
index fc619e1bd3a..adb157f6ae8 100644
--- a/ydb/core/security/ticket_parser_impl.h
+++ b/ydb/core/security/ticket_parser_impl.h
@@ -213,6 +213,25 @@ protected:
         }
     };
 
+protected:
+    using IActorOps::Register;
+    using IActorOps::Send;
+    using IActorOps::Schedule;
+
+    NKikimrProto::TAuthConfig Config;
+    TDuration ExpireTime = TDuration::Hours(24); // after what time ticket will expired and removed from cache
+
+    template <typename TTokenRecord>
+    TInstant GetExpireTime(const TTokenRecord& record, TInstant now) const {
+        if ((record.TokenType == TDerived::ETokenType::AccessService || record.TokenType == TDerived::ETokenType::ApiKey) && record.Signature.AccessKeyId) {
+            return GetAsSignatureExpireTime(now);
+        }
+        if (record.TokenType == TDerived::ETokenType::Login) {
+            return record.ExpireTime;
+        }
+        return now + ExpireTime;
+    }
+
 private:
     TString DomainName;
     ::NMonitoring::TDynamicCounters::TCounterPtr CounterTicketsReceived;
@@ -232,6 +251,7 @@ private:
     TDuration MinErrorRefreshTime = TDuration::Seconds(1); // between this and next time we will try to refresh retryable error
     TDuration MaxErrorRefreshTime = TDuration::Minutes(1);
     TDuration LifeTime = TDuration::Hours(1); // for how long ticket will remain in the cache after last access
+    TDuration AsSignatureExpireTime = TDuration::Minutes(1);
 
     TActorId AccessServiceValidator;
     TActorId UserAccountService;
@@ -280,8 +300,8 @@ private:
         return key.Str();
     }
 
-    TInstant GetExpireTime(TInstant now) const {
-        return now + ExpireTime;
+    TInstant GetAsSignatureExpireTime(TInstant now) const {
+        return now + AsSignatureExpireTime;
     }
 
     TInstant GetRefreshTime(TInstant now) const {
@@ -1015,13 +1035,6 @@ private:
     }
 
 protected:
-    using IActorOps::Register;
-    using IActorOps::Send;
-    using IActorOps::Schedule;
-
-    NKikimrProto::TAuthConfig Config;
-    TDuration ExpireTime = TDuration::Hours(24); // after what time ticket will expired and removed from cache
-
     auto ParseTokenType(const TStringBuf tokenType) const {
         if (tokenType == "Login") {
             if (UseLoginProvider) {
@@ -1123,7 +1136,7 @@ protected:
         TInstant now = TlsActivationContext->Now();
         record.InitTime = now;
         record.AccessTime = now;
-        record.ExpireTime = GetExpireTime(now);
+        record.ExpireTime = GetExpireTime(record, now);
         record.RefreshTime = GetRefreshTime(now);
 
         if (record.Error) {
@@ -1147,9 +1160,7 @@ protected:
         if (!token->GetUserSID().empty()) {
             record.Subject = token->GetUserSID();
         }
-        if (!record.ExpireTime) {
-            record.ExpireTime = GetExpireTime(now);
-        }
+        record.ExpireTime = GetExpireTime(record, now);
         if (record.NeedsRefresh()) {
             record.SetOkRefreshTime(this, now);
         } else {
@@ -1168,7 +1179,7 @@ protected:
         record.Error = error;
         TInstant now = TlsActivationContext->Now();
         if (record.Error.Retryable) {
-            record.ExpireTime = GetExpireTime(now);
+            record.ExpireTime = GetExpireTime(record, now);
             record.SetErrorRefreshTime(this, now);
             CounterTicketsErrorsRetryable->Inc();
             BLOG_D("Ticket " << MaskTicket(record.Ticket) << " ("
@@ -1480,6 +1491,7 @@ protected:
         MaxErrorRefreshTime = TDuration::Parse(Config.GetMaxErrorRefreshTime());
         LifeTime = TDuration::Parse(Config.GetLifeTime());
         ExpireTime = TDuration::Parse(Config.GetExpireTime());
+        AsSignatureExpireTime = TDuration::Parse(Config.GetAsSignatureExpireTime());
     }
 
     void PassAway() override {
author	molotkov-and <[email protected]>	2023-10-17 19:34:32 +0300
committer	molotkov-and <[email protected]>	2023-10-17 20:39:36 +0300
commit	0e045668d7d08525a7b5e26c0fd3b3b01c279b00 (patch)
tree	27b84cecc74dbc258f91f1f39aa14230865dd8b1
parent	68aad25a66091da7133f67052c5757e132418923 (diff)