diff options
author | xenoxeno <xeno@ydb.tech> | 2023-03-23 07:57:47 +0300 |
---|---|---|
committer | xenoxeno <xeno@ydb.tech> | 2023-03-23 07:57:47 +0300 |
commit | b8ebf39c705743d95cf1337ec10c422924ddbef9 (patch) | |
tree | c36b58f0d20002f4e46126fd4f3595fc42486a75 | |
parent | 52d4379d9d6947741425eb3f8f64bcf0c3a5431c (diff) | |
download | ydb-b8ebf39c705743d95cf1337ec10c422924ddbef9.tar.gz |
disable token refresh for IAM signature authentications
-rw-r--r-- | ydb/core/security/ticket_parser_impl.h | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h index 12dd6e5776..bd3a5a709e 100644 --- a/ydb/core/security/ticket_parser_impl.h +++ b/ydb/core/security/ticket_parser_impl.h @@ -961,13 +961,13 @@ protected: } } - bool IsOfflineToken() const { + bool NeedsRefresh() const { switch (TokenType) { case TDerived::ETokenType::Builtin: case TDerived::ETokenType::Login: - return true; - default: return false; + default: + return Signature.AccessKeyId.empty(); } } @@ -1071,10 +1071,10 @@ protected: if (!record.ExpireTime) { record.ExpireTime = GetExpireTime(now); } - if (record.IsOfflineToken()) { - record.RefreshTime = record.ExpireTime; - } else { + if (record.NeedsRefresh()) { record.SetOkRefreshTime(this, now); + } else { + record.RefreshTime = record.ExpireTime; } CounterTicketsSuccess->Inc(); CounterTicketsBuildTime->Collect((now - record.InitTime).MilliSeconds()); @@ -1168,7 +1168,9 @@ protected: template <typename TTokenRecord> bool CanRefreshTicket(const TString& key, TTokenRecord& record) { - if (AccessServiceValidator && (record.TokenType == TDerived::ETokenType::AccessService || record.TokenType == TDerived::ETokenType::Unknown)) { + if (AccessServiceValidator + && ((record.TokenType == TDerived::ETokenType::AccessService && !record.Signature.AccessKeyId) + || record.TokenType == TDerived::ETokenType::Unknown)) { GetDerived()->ResetTokenRecord(record); if (record.Permissions) { RequestAccessServiceAuthorization(key, record); |