From: Tobias Urdin Date: Wed, 27 Apr 2022 08:57:36 +0000 (+0000) Subject: rgw/auth: Make service token expired token expiration configurable X-Git-Tag: v18.1.0~1023^2~14 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=31e79282be028beb363b32d4bf6e0b22ba3409e1;p=ceph.git rgw/auth: Make service token expired token expiration configurable Signed-off-by: Tobias Urdin --- diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 2301e42cb672..f43d2fb112dd 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -691,6 +691,17 @@ options: services: - rgw with_legacy: true +- name: rgw_keystone_expired_token_cache_expiration + type: int + level: advanced + desc: The number of seconds to add to current time for expired token expiration + fmt_desc: The expired token that is allowed when a valid service token is given + need a new expiration date for the caching. This is the seconds to add to the + current time and then set on an expired token that is verified with a service token. + default: 3600 + services: + - rgw + with_legacy: true - name: rgw_keystone_barbican_user type: str level: advanced diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index 3fe732677d9c..9976449f28b2 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -334,8 +334,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp, /* If this token was an allowed expired token because we got a * service token we need to update the expiration before we cache it. */ if (allow_expired) { - /* TODO(tobias-urdin): Make an hour here configurable. */ - uint64_t new_expires = ceph_clock_now().sec() + 3600; + uint64_t new_expires = ceph_clock_now().sec() + g_conf()->rgw_keystone_expired_token_cache_expiration; ldpp_dout(dpp, 20) << "updating expiration of allowed expired token" << " from " << t->get_expires() << " to " << new_expires << dendl;