aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorxenoxeno <xeno@ydb.tech>2023-03-23 07:57:47 +0300
committerxenoxeno <xeno@ydb.tech>2023-03-23 07:57:47 +0300
commitb8ebf39c705743d95cf1337ec10c422924ddbef9 (patch)
treec36b58f0d20002f4e46126fd4f3595fc42486a75
parent52d4379d9d6947741425eb3f8f64bcf0c3a5431c (diff)
downloadydb-b8ebf39c705743d95cf1337ec10c422924ddbef9.tar.gz
disable token refresh for IAM signature authentications
-rw-r--r--ydb/core/security/ticket_parser_impl.h16
1 files changed, 9 insertions, 7 deletions
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
index 12dd6e5776..bd3a5a709e 100644
--- a/ydb/core/security/ticket_parser_impl.h
+++ b/ydb/core/security/ticket_parser_impl.h
@@ -961,13 +961,13 @@ protected:
}
}
- bool IsOfflineToken() const {
+ bool NeedsRefresh() const {
switch (TokenType) {
case TDerived::ETokenType::Builtin:
case TDerived::ETokenType::Login:
- return true;
- default:
return false;
+ default:
+ return Signature.AccessKeyId.empty();
}
}
@@ -1071,10 +1071,10 @@ protected:
if (!record.ExpireTime) {
record.ExpireTime = GetExpireTime(now);
}
- if (record.IsOfflineToken()) {
- record.RefreshTime = record.ExpireTime;
- } else {
+ if (record.NeedsRefresh()) {
record.SetOkRefreshTime(this, now);
+ } else {
+ record.RefreshTime = record.ExpireTime;
}
CounterTicketsSuccess->Inc();
CounterTicketsBuildTime->Collect((now - record.InitTime).MilliSeconds());
@@ -1168,7 +1168,9 @@ protected:
template <typename TTokenRecord>
bool CanRefreshTicket(const TString& key, TTokenRecord& record) {
- if (AccessServiceValidator && (record.TokenType == TDerived::ETokenType::AccessService || record.TokenType == TDerived::ETokenType::Unknown)) {
+ if (AccessServiceValidator
+ && ((record.TokenType == TDerived::ETokenType::AccessService && !record.Signature.AccessKeyId)
+ || record.TokenType == TDerived::ETokenType::Unknown)) {
GetDerived()->ResetTokenRecord(record);
if (record.Permissions) {
RequestAccessServiceAuthorization(key, record);