Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-349

Secure token usage with oc client while doing oc login

    XMLWordPrintable

Details

    • Secure token usage with oc client while doing oc login
    • False
    • False
    • OCPSTRAT-378Secure token usage with oc client
    • Not Selected
    • To Do
    • OCPSTRAT-378 - Secure token usage with oc client
    • 100
    • 100% 100%

    Description

      Epic Goal*

      During oc login with a token, pasting the token on command line with oc login --token command is insecure. The token is logged in bash history, and appears in a "ps" command when ran precisely at the time the oc login command runs. Moreover, the token gets logged and is searchable by any sysadmin.

      Customers/Users would like either the "--web" command, or a command that prompt for a token. There should be no way to pass a secret on a command line with --token command. 

      For environments where no web browser is available, a "--ask-token" option should be provided that prompts for a token instead of passing it on the command line.

       
      Why is this important? (mandatory)

      Pasting the token on command line with oc login --token command is insecure

       
      Scenarios (mandatory) 

      Customers/Users would like either the "--web" command. There should be no way to pass a secret on a command line with --token command. 

      For environments where no web browser is available, a "--ask-token" option should be provided that prompts for a token instead of passing it on the command line.

       

       
      Dependencies (internal and external) (mandatory)

      What items must be delivered by other teams/groups to enable delivery of this epic. 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - 
      • Documentation -
      • QE - 
      • PX - 
      • Others -

      Acceptance Criteria (optional)

       

      Drawbacks or Risk (optional)

      Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be "Release Pending" 

      Attachments

        Issue Links

          Activity

            People

              rh-ee-irinis Ilias Rinis
              atelang@redhat.com Anjali Telang
              Deepak Punia Deepak Punia
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: