AWS: Prevent token refresh scheduling on every sign request#7270
AWS: Prevent token refresh scheduling on every sign request#7270rdblue merged 1 commit intoapache:masterfrom
Conversation
nastra
force-pushed
the
signer-token-refreshes
branch
from
e3d7c2b to
d06f01c
Compare
| PropertyUtil.propertyAsLong( | ||
| properties(), | ||
| CatalogProperties.AUTH_SESSION_TIMEOUT_MS, | ||
| CatalogProperties.AUTH_SESSION_TIMEOUT_MS_DEFAULT); |
There was a problem hiding this comment.
This is 1 hour by default. Are we sure that's a reasonable timeout?
There was a problem hiding this comment.
I think a 24 hour idle timeout would more closely align with patterns where a table is accessed and left idle. Beyond that, it's very unlikely the reference will be used again.
There was a problem hiding this comment.
Okay, after some discussion to clarify Dan, Eduard, and I think 1h is pretty reasonable. The cache is using expireAfterAccess so reusing the token keeps it alive. And the removal listener stops refreshing the token when it is expired from the cache. The downside of too short of an interval is starting new sessions, but only if they are already mostly inactive (more than 1 hour between uses). The downside of too long of an interval is potentially needlessly refreshing a token for 24 hours when it's unused. I think it is better to have a short interval.
|
This looks correct to me. My only question is what would be a reasonable default timeout. |
3 participants
One of the main issues here was that we were previously scheduling a token for refresh on every single sign request.
This PR caches the
AuthSessionbased on the given token/credential to prevent this issue.The existing
TestS3RestSignerwas slightly restructured and additional checks were added that immediately showed the original problem.