aboutsummaryrefslogtreecommitdiffstats
path: root/controller-server
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2017-12-08 15:48:38 +0100
committerBjørn Christian Seime <bjorncs@oath.com>2017-12-12 12:39:55 +0100
commit7e35c730c7b63ad5e2a4d5d82f0da7687a441e71 (patch)
tree6cfc09df754c50f4907826df9656b2f67b8b9adb /controller-server
parentf26d8a85a9b8aaee685890e73fe32b3785e9ccc4 (diff)
Make credentials expiry configurable
Diffstat (limited to 'controller-server')
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java10
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java7
-rw-r--r--controller-server/src/main/resources/configdefinitions/athenz.def3
3 files changed, 14 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
index e640fcd0ea7..a91604f937b 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
@@ -18,7 +18,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.security.KeyService;
import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
import java.security.PrivateKey;
-import java.util.concurrent.TimeUnit;
+import java.time.Duration;
import static com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzUtils.USER_PRINCIPAL_DOMAIN;
@@ -75,8 +75,12 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory {
// TODO bjorncs: Cache principal token
SimpleServiceIdentityProvider identityProvider =
new SimpleServiceIdentityProvider(
- athenzPrincipalAuthority, config.domain(), service.name(),
- getServicePrivateKey(), service.publicKeyId(), /*tokenTimeout*/TimeUnit.HOURS.toSeconds(1));
+ athenzPrincipalAuthority,
+ config.domain(),
+ service.name(),
+ getServicePrivateKey(),
+ service.publicKeyId(),
+ Duration.ofMinutes(service.credentialsExpiryMinutes()).getSeconds());
return identityProvider.getIdentity(config.domain(), service.name());
}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java
index d518e1905e5..a29f2e81fba 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java
@@ -32,18 +32,19 @@ import static java.util.stream.Collectors.toList;
public class ZtsClientImpl implements ZtsClient {
private static final Logger log = Logger.getLogger(ZtsClientImpl.class.getName());
- private static final Duration CERTIFICATE_EXPIRY = Duration.ofHours(1);
private final ZTSClient ztsClient;
private final AthenzService service;
private final PrivateKey privateKey;
private final String certificateDnsDomain;
+ private final Duration certExpiry;
public ZtsClientImpl(ZTSClient ztsClient, PrivateKey privateKey, AthenzConfig config) {
this.ztsClient = ztsClient;
this.service = new AthenzService(config.domain(), config.service().name());
this.privateKey = privateKey;
this.certificateDnsDomain = config.certDnsDomain();
+ this.certExpiry = Duration.ofMinutes(config.service().credentialsExpiryMinutes());
}
@Override
@@ -71,7 +72,7 @@ public class ZtsClientImpl implements ZtsClient {
service.getName(),
privateKey,
certificateDnsDomain,
- (int) CERTIFICATE_EXPIRY.getSeconds());
+ (int) certExpiry.getSeconds());
X509Certificate certificate = Crypto.loadX509Certificate(
ztsClient.postInstanceRefreshRequest(service.getDomain().id(), service.getName(), req)
.getCertificate());
@@ -93,7 +94,7 @@ public class ZtsClientImpl implements ZtsClient {
roleName,
privateKey,
certificateDnsDomain,
- (int)CERTIFICATE_EXPIRY.getSeconds());
+ (int)certExpiry.getSeconds());
X509Certificate roleCertificate = Crypto.loadX509Certificate(
ztsClient.postRoleCertificateRequest(roleDomain.id(), roleName, req)
.getToken());
diff --git a/controller-server/src/main/resources/configdefinitions/athenz.def b/controller-server/src/main/resources/configdefinitions/athenz.def
index 2ee15e183f2..1d95ebd7860 100644
--- a/controller-server/src/main/resources/configdefinitions/athenz.def
+++ b/controller-server/src/main/resources/configdefinitions/athenz.def
@@ -31,3 +31,6 @@ service.privateKeyVersion int
# Name of Athenz service private key secret
service.privateKeySecretName string
+
+# Expiry of service principal token and certificate
+service.credentialsExpiryMinutes int default=43200 # 30 days