Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Critical
Fix Version/s: RHODS_1.1_GA
Affects Version/s: RHODS_1.1_GA
Component/s: UI, Workbenches
Labels:
- Eng
- FailedQA
- Groomed

Story Points:
3
Epic Link:
ProdSec Minimal Requirements
Blocked:
False
Ready:
False
Automated:
No
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fixed in Build:
1.0.14
Regression:
No
Release Note Text:
Undefined
Target Release:

RHODS_1.1_GA
Test Blocker:
No
Test Coverage:

Yes
Git Pull Request:
https://github.com/opendatahub-io/oauthenticator/pull/5, https://github.com/opendatahub-io/oauthenticator/pull/6
Market:

Sprint:
MODH Sprint 19, MODH Sprint 20, MODH Sprint 21, MODH Sprint 22, MODH Sprint 23

SFDC Cases Counter:
SFDC Cases Links:

As Red Hat, we need to adhere to product security guidelines to avoid security issues for RHODS customers.

This story is to address a session management flaw as outlined in the threat modeling doc (item 9): https://docs.google.com/document/d/17sGYy8P3HSCpO7QeSSORU3ZUYkUNGQq-z3xJDrUyadM/edit#heading=h.wmz2ucb7quu3

When a user's credentials are revoked for the RHODS dashboard and JupyterHub, the system should automatically log users out of the service. Some scenarios:

1) User session times out

2) User no longer has access to RHODS based on removal from RHODS user or admin group

3) User's OpenShift access is removed

is related to

RHODS-339 Able to login with expired sesssion

Closed

relates to

RHODS-1968 Session mgmt: Users are not logged out of JH/RHODS when removed from rhods-users/admins group

Closed

Assignee:: Vaclav Pavlin (Inactive)

Reporter:: Jeff DeMoss

Need Info From:: Vaclav Pavlin (Inactive)

QA Contact:: Luca Giorgi

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2021/03/21 10:55 PM

Updated:: 2023/02/17 9:27 PM

Resolved:: 2021/10/26 12:03 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates