Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19796

tokenConfig's accessTokenInactivityTimeout fields doesn't work in hypershift guest cluster

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Normal
    • 4.14.0
    • 4.13.z
    • HyperShift
    • Important
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      This is a clone of issue OCPBUGS-13829. The following is the description of the original issue:

      Description of problem:

      The configured accessTokenInactivityTimeout under tokenConfig in HostedCluster doesn't have any effect.
      1. The value is not getting updated in oauth-openshift configmap 
      2. hostedcluster allows user to set accessTokenInactivityTimeout value < 300s, where as in master cluster the value should be > 300s. 

      Version-Release number of selected component (if applicable):

      4.13

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install a fresh 4.13 hypershift cluster  
      2. Configure accessTokenInactivityTimeout as below:
      $ oc edit hc -n clusters
      ...
        spec:
          configuration:
            oauth:
              identityProviders:
              ...
              tokenConfig:          
                accessTokenInactivityTimeout: 100s
      ...
      3. Check the hcp:
      $ oc get hcp -oyaml
      ...
              tokenConfig:           
                accessTokenInactivityTimeout: 1m40s
      ...
      
      4. Login to guest cluster with testuser-1 and get the token
      $ oc login https://a8890bba21c9b48d4a05096eee8d4edd-738276775c71fb8f.elb.us-east-2.amazonaws.com:6443 -u testuser-1 -p xxxxxxx
      $ TOKEN=`oc whoami -t`
      $ oc login --token="$TOKEN"
      WARNING: Using insecure TLS client config. Setting this option is not supported!
      Logged into "https://a8890bba21c9b48d4a05096eee8d4edd-738276775c71fb8f.elb.us-east-2.amazonaws.com:6443" as "testuser-1" using the token provided.
      You don't have any projects. You can try to create a new project, by running
          oc new-project <projectname>

      Actual results:

      1. hostedcluster will allow user to set the value < 300s for accessTokenInactivityTimeout which is not possible on master cluster.
      
      2. The value is not updated in oauth-openshift configmap:
      $ oc get cm oauth-openshift -oyaml -n clusters-hypershift-ci-25785 
      ...
            tokenConfig:
              accessTokenMaxAgeSeconds: 86400
              authorizeTokenMaxAgeSeconds: 300
      ...
      
      3. Login doesn't fail even if the user is not active for more than the set accessTokenInactivityTimeout seconds.
      

      Expected results:

      Login fails if the user is not active within the accessTokenInactivityTimeout seconds.
      

      Attachments

        Issue Links

          Activity

            People

              agarcial@redhat.com Alberto Garcia Lamela
              openshift-crt-jira-prow OpenShift Prow Bot
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: