diff --git a/java/google/registry/proxy/ProxyConfig.java b/java/google/registry/proxy/ProxyConfig.java index d47e1452d..8cff2eeb3 100644 --- a/java/google/registry/proxy/ProxyConfig.java +++ b/java/google/registry/proxy/ProxyConfig.java @@ -38,7 +38,6 @@ public class ProxyConfig { public String projectId; public List gcpScopes; public int accessTokenValidPeriodSeconds; - public int accessTokenRefreshBeforeExpirySeconds; public int serverCertificateCacheSeconds; public Gcs gcs; public Kms kms; diff --git a/java/google/registry/proxy/ProxyModule.java b/java/google/registry/proxy/ProxyModule.java index 6e8cd5bb2..3ce06161a 100644 --- a/java/google/registry/proxy/ProxyModule.java +++ b/java/google/registry/proxy/ProxyModule.java @@ -29,7 +29,6 @@ import com.google.api.services.cloudkms.v1.model.DecryptRequest; import com.google.api.services.storage.Storage; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Maps; -import com.google.common.flogger.FluentLogger; import com.google.common.flogger.LoggerConfig; import com.google.monitoring.metrics.MetricReporter; import dagger.Component; @@ -72,8 +71,6 @@ import javax.inject.Singleton; @Module public class ProxyModule { - private static final FluentLogger logger = FluentLogger.forEnclosingClass(); - @Parameter(names = "--whois", description = "Port for WHOIS") private Integer whoisPort; @@ -133,8 +130,6 @@ public class ProxyModule { // Log source IP information if --log parameter is passed. This is considered PII and should // only be used in non-production environment for debugging purpose. LoggerConfig.getConfig(ProxyProtocolHandler.class).setLevel(Level.FINE); - // Log at debug level what is the refreshed access token. - LoggerConfig.getConfig(ProxyModule.class).setLevel(Level.FINE); } } @@ -241,12 +236,9 @@ public class ProxyModule { } catch (IOException e) { throw new RuntimeException("Cannot refresh access token.", e); } - // TODO (jianglai): Remove access token refresh logging. - String token = credential.getAccessToken(); - logger.atFine().log("Access token refreshed: %s", token); - return token; + return credential.getAccessToken(); }, - config.accessTokenValidPeriodSeconds - config.accessTokenRefreshBeforeExpirySeconds, + config.accessTokenValidPeriodSeconds, SECONDS); } diff --git a/java/google/registry/proxy/config/default-config.yaml b/java/google/registry/proxy/config/default-config.yaml index 893f1edeb..f3659c136 100644 --- a/java/google/registry/proxy/config/default-config.yaml +++ b/java/google/registry/proxy/config/default-config.yaml @@ -20,23 +20,22 @@ gcpScopes: # to authenticate. - https://www.googleapis.com/auth/userinfo.email -# Access token is valid for 10 minutes. +# Access token is cached for 15 minutes. # -# Document says that the token should be good for 60 minutes, but in practice -# we've run into problems with token becoming invalid before supposed expiration -# time. This used to be set to 30 min but we still observe very rare occurrence -# of INVALID_TOKEN response (not even EXPIRED_TOKEN, which is also a possible -# response). Set it to 10 minutes so that the tokens can be refreshed more -# frequently. -# See also: Data store -# (https://developers.google.com/api-client-library/java/google-api-java-client/oauth2#data_store). -accessTokenValidPeriodSeconds: 600 - -# Access token is refreshed 1 minutes before expiry. -# -# This is the default refresh time used by -# com.google.api.client.auth.oauth2.Credential#intercept. -accessTokenRefreshBeforeExpirySeconds: 60 +# Depending on how the credential is obtained, its renewal behavior is +# different. A credential backed by a private key (like the ADC obtained +# locally) will get a different token when #refreshToken() is called. On GCE, +# the credential is just a wrapper around tokens sent from the metadata server, +# which is valid from 3599 seconds to 1699 seconds (this is no documentation on +# this, I got this number by logging in a GCE VM, calling curl on the metatdata +# server every minute, and check the expiration time of the response). Calling +# refreshToken() does *not* get a new token. The token is only refreshed by +# metadata server itself (every 3599 - 1699 = 1900 seconds). We cache the token +# for 900 seconds, which should be good for both cases. The private key +# generated token is in theory valid for 1h, and the token obtained from the +# metadata token is at least valid for 1699 seconds, so we can know for sure +# that during the period that it is cached, the token will not expire. +accessTokenValidPeriodSeconds: 900 # Server certificate is cached for 30 minutes. # diff --git a/java/google/registry/proxy/handler/RelayHandler.java b/java/google/registry/proxy/handler/RelayHandler.java index 61fd6c79d..f76c8f616 100644 --- a/java/google/registry/proxy/handler/RelayHandler.java +++ b/java/google/registry/proxy/handler/RelayHandler.java @@ -77,7 +77,7 @@ public class RelayHandler extends SimpleChannelInboundHandler { public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) { if (cause instanceof OverQuotaException) { logger.atWarning().withCause(cause).log( - "Channel %s closed due to quota exceeded", ctx.channel()); + "Channel %s closed due to quota exceeded.", ctx.channel()); ChannelFuture unusedFuture = ctx.close(); } else { ctx.fireExceptionCaught(cause);