-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.13.z
-
Important
-
No
-
Hypershift Sprint 237, Hypershift Sprint 238, Hypershift Sprint 239, Hypershift Sprint 240, Hypershift Sprint 241, Hypershift Sprint 242, Hypershift Sprint 243
-
7
-
False
-
-
NA
-
Release Note Not Required
-
In Progress
Description of problem:
The configured accessTokenInactivityTimeout under tokenConfig in HostedCluster doesn't have any effect. 1. The value is not getting updated in oauth-openshift configmap 2. hostedcluster allows user to set accessTokenInactivityTimeout value < 300s, where as in master cluster the value should be > 300s.
Version-Release number of selected component (if applicable):
4.13
How reproducible:
Always
Steps to Reproduce:
1. Install a fresh 4.13 hypershift cluster 2. Configure accessTokenInactivityTimeout as below: $ oc edit hc -n clusters ... spec: configuration: oauth: identityProviders: ... tokenConfig: accessTokenInactivityTimeout: 100s ... 3. Check the hcp: $ oc get hcp -oyaml ... tokenConfig: accessTokenInactivityTimeout: 1m40s ... 4. Login to guest cluster with testuser-1 and get the token $ oc login https://a8890bba21c9b48d4a05096eee8d4edd-738276775c71fb8f.elb.us-east-2.amazonaws.com:6443 -u testuser-1 -p xxxxxxx $ TOKEN=`oc whoami -t` $ oc login --token="$TOKEN" WARNING: Using insecure TLS client config. Setting this option is not supported! Logged into "https://a8890bba21c9b48d4a05096eee8d4edd-738276775c71fb8f.elb.us-east-2.amazonaws.com:6443" as "testuser-1" using the token provided. You don't have any projects. You can try to create a new project, by running oc new-project <projectname>
Actual results:
1. hostedcluster will allow user to set the value < 300s for accessTokenInactivityTimeout which is not possible on master cluster. 2. The value is not updated in oauth-openshift configmap: $ oc get cm oauth-openshift -oyaml -n clusters-hypershift-ci-25785 ... tokenConfig: accessTokenMaxAgeSeconds: 86400 authorizeTokenMaxAgeSeconds: 300 ... 3. Login doesn't fail even if the user is not active for more than the set accessTokenInactivityTimeout seconds.
Expected results:
Login fails if the user is not active within the accessTokenInactivityTimeout seconds.
- blocks
-
OCPBUGS-19796 tokenConfig's accessTokenInactivityTimeout fields doesn't work in hypershift guest cluster
- Closed
- is cloned by
-
OCPBUGS-19796 tokenConfig's accessTokenInactivityTimeout fields doesn't work in hypershift guest cluster
- Closed
- links to
-
RHEA-2023:7198 rpm
- mentioned on
(1 mentioned on)