auth: a new option for configuring TTL of jwt tokens #8302
Conversation
|
/cc @vedant15 this PR adds the functionality for configuring TTL of jwt tokens. Unlike simple tokens, jwt tokens' TTL won't be extended by RPCs so clients need to retry after the expiration. |
|
@mitake will the client automatically acquire a new JWT token if the current one expires? Also, this probably needs a test case; I can't find where |
|
@heyitsanthony yes, jwt-go checks the expiration with this flow |
|
@mitake Do we want to include this in 3.3? Otherwise, we can move this to 3.4. Thanks. |
|
@gyuho I think it is not an emergent stuff so moving to 3.4 is ok. |
|
@gyuho updated for an e2e test case, could you take a look? |
This commit adds a new option of --auth-token, ttl, for configuring TTL of jwt tokens. It can be specified like this: ``` --auth-token jwt,pub-key=<pub key path>,priv-key=<priv key path>,sign-method=<sign method>,ttl=5m ``` In the above case, TTL will be 5 minutes.
|
rebased on the latest master |
|
So, if no TTL given, does this defaults to 5-min? Is there any specific reason? |
|
No specific reason for now. If you think we should change, please let me know. |
|
Would it be breaking change, if previous behavior is auth token never expires? I am ok with either way. Maybe highlight this change more loud around configuration.md and etcdmain/help.go? |
|
It isn't a breaking change. clientv3 automatically refresh the expired token so existing etcd users won't be aware about this change. It is ensured in the test https://github.com/coreos/etcd/pull/8302/files#diff-4e20b6b68ada25d636aa265f49dcfa19 |
|
Oh, it will be just assigned a new token. Makes sense. |
This commit adds a new option of --auth-token, ttl, for configuring
TTL of jwt tokens. It can be specified like this:
In the above case, TTL will be 5 minutes.
/cc @fanminshi