rgw/auth: Make service token expired token expiration configurable

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index 2301e42cb672207cbb134556a360948d9e91730b..f43d2fb112dd23a08a9eb7dd4830c84c5f9b33d0 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -691,6 +691,17 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_keystone_expired_token_cache_expiration
+  type: int
+  level: advanced
+  desc: The number of seconds to add to current time for expired token expiration
+  fmt_desc: The expired token that is allowed when a valid service token is given
+    need a new expiration date for the caching. This is the seconds to add to the
+    current time and then set on an expired token that is verified with a service token.
+  default: 3600
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_keystone_barbican_user
   type: str
   level: advanced

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 3fe732677d9c78e3044cf7464e74807cfadf706a..9976449f28b2d8e16b055f488f92b3948ec7defa 100644 (file)
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -334,8 +334,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp,
       /* If this token was an allowed expired token because we got a
        * service token we need to update the expiration before we cache it. */
       if (allow_expired) {
-        /* TODO(tobias-urdin): Make an hour here configurable. */
-        uint64_t new_expires = ceph_clock_now().sec() + 3600;
+        uint64_t new_expires = ceph_clock_now().sec() + g_conf()->rgw_keystone_expired_token_cache_expiration;
         ldpp_dout(dpp, 20) << "updating expiration of allowed expired token"
                            << " from " << t->get_expires() << " to "
                            << new_expires << dendl;