zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-13 07:57:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Change access token validity and remove logging

Browse source 
The access token renewal on GCE is not what we expected. The metadata server always returns the same token as long as it is valid for 1699 to 3599 seconds and rolls over to the next token on its own schedule. Calling refresh on the GoogleCredential has no effect. We were caching the token for 30 min (1800 seconds), so in a rare case where we "refreshed" the token while its expiry is between 1699 and 1800 seconds, we will cache the token for longer than its validity. [] shorted the caching period to 10 min and added logging, which proved to be working. We no longer need the log any more now that the root cause has been identified. Also changed the cache period to 15 min (900 seconds) which should still be good.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=208888170
This commit is contained in:
jianglai 2018-08-15 14:55:10 -07:00
parent 301301cafe
commit fc75e08061
4 changed files with 18 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

12
java/google/registry/proxy/ProxyModule.java
View file

@ -29,7 +29,6 @@ import com.google.api.services.cloudkms.v1.model.DecryptRequest;
import com.google.api.services.storage.Storage;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Maps;
import com.google.common.flogger.FluentLogger;
import com.google.common.flogger.LoggerConfig;
import com.google.monitoring.metrics.MetricReporter;
import dagger.Component;
@ -72,8 +71,6 @@ import javax.inject.Singleton;
@Module
public class ProxyModule {
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
@Parameter(names = "--whois", description = "Port for WHOIS")
private Integer whoisPort;
@ -133,8 +130,6 @@ public class ProxyModule {
// Log source IP information if --log parameter is passed. This is considered PII and should
// only be used in non-production environment for debugging purpose.
LoggerConfig.getConfig(ProxyProtocolHandler.class).setLevel(Level.FINE);
// Log at debug level what is the refreshed access token.
LoggerConfig.getConfig(ProxyModule.class).setLevel(Level.FINE);
}
}
@ -241,12 +236,9 @@ public class ProxyModule {
} catch (IOException e) {
throw new RuntimeException("Cannot refresh access token.", e);
}
// TODO (jianglai): Remove access token refresh logging.
String token = credential.getAccessToken();
logger.atFine().log("Access token refreshed: %s", token);
return token;
return credential.getAccessToken();
},
config.accessTokenValidPeriodSeconds - config.accessTokenRefreshBeforeExpirySeconds,
config.accessTokenValidPeriodSeconds,
SECONDS);
}