new/auth: allow users to manage their tokens #507
Conversation
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
stlaz
force-pushed
the
usertokens
branch
2 times, most recently
from
544a84b
to
1d87885
Compare
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
|
|
||
| ## Motivation | ||
|
|
||
| It is quite easy for users to retrieve tokens but it is also not so hard |
There was a problem hiding this comment.
retrieve seems more appropriate to me given that they cannot create their tokens
|
|
||
| ### Non-Goals | ||
|
|
||
| - enable handling sessions of services that use the OpenShift access tokens |
There was a problem hiding this comment.
what would "handle" mean here?
There was a problem hiding this comment.
pretty much anything regarding a session, we are not dealing with sessions in this enhancement at all
There was a problem hiding this comment.
- Changing the granularity of tokens to sessions: tokens can be used by many sessions. The oauth system is not aware of sessions and won't be with this enhancement.
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
|
|
||
| #### Story 3 | ||
| A user is able to perform actions from Story 1 and Story 2 in both the web | ||
| console and the CLI clients. |
There was a problem hiding this comment.
@jhadvig fyi, there is work coming up for the console. Please sync with @Anandnatraj about the timing. We might merge the API already with 4.7.
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
enhancements/authentication/allow-users-to-manage-their-own-tokens.md
Outdated
Show resolved
Hide resolved
| the default token name length, it is quite improbable). The clusterrolebinding | ||
| `system:oauth-token-deleters` will therefore get deprecated as described in | ||
| [Graduation Criteria - Removing a Deprecated Feature](#graduation-criteria---removing-a-deprecated-feature). | ||
|
|
There was a problem hiding this comment.
add section about table view in oc, i.e. which columns will we expose by default? @Anandnatraj this will be something for you to review.
There was a problem hiding this comment.
added - see below.
@Anandnatraj please review so that we only keep the fields necessary
There was a problem hiding this comment.
@stlaz I cannot see the table. Can you slack me a screenshot pls?
There was a problem hiding this comment.
@Anandnatraj the list 5 lines below are the columns of the table view of oc get useroauthaccesstokens.
stlaz
force-pushed
the
usertokens
branch
2 times, most recently
from
5245ece
to
d458320
Compare
| command line: | ||
|
|
||
| - metadata.name (`NAME`) | ||
| - userName (`USERNAME`) |
There was a problem hiding this comment.
good point, probably not
| - metadata.name (`NAME`) | ||
| - userName (`USERNAME`) | ||
| - clientName (`CLIENT NAME`) | ||
| - metadata.creationTimestamp (`CREATED`) |
There was a problem hiding this comment.
isn't this a default field shown at the very end?
There was a problem hiding this comment.
we're defining our own table printer, I don't think it would be printed if we don't specifically add it
There was a problem hiding this comment.
Maybe that is different in CRDs. I remotely remember something like that.
| ### Test Plan | ||
|
|
||
| New e2e tests: | ||
| 1. using the new endpoint, a user can get/list/watch/delete all of the tokens that were issued to them | ||
| 2. a user cannot get/list/watch/delete tokens for any other user | ||
| 3. user cannot create, update, patch tokens, neither his own, nor of other users. | ||
| 4. non-sha256 tokens are not returned by any of the endpoints. |
|
/approve Title must be fixed |
openshift-ci-robot
added
the
approved
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| command line: | ||
|
|
||
| - metadata.name (`NAME`) | ||
| - clientName (`CLIENT NAME`) |
There was a problem hiding this comment.
@stlaz what will you see here in practice in a real cluster?
There was a problem hiding this comment.
@Anandnatraj this is the field I briefly mentioned. It will probably be a constant string like "console" or so, even if the token is used with oc.
An enhancement mostly about listing/deletion of personal access tokens
/cc @deads2k @sttts @marun @vareti