-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token lease not being respected #22
Comments
It looks like the lease is explicitly set to never expire which I guess means the token takes the access default (in my case the default of 1year). I waited over 1 hour to check if Vault would revoke the token, but 90 minutes later and the token is still valid. |
The way it is supposed to work is that Vault will "revoke" that token at the end of the lease. The fact that you also posted about an error revoking the admin token during rotation makes me wonder whether there is an error in the "RevokeToken" function. It does also seem like the "max_ttl" should be enforced by setting that as the artifactory access token expiration, by default, but it does not do that, perhaps related to artifactory "issues" -- https://github.com/jfrog/artifactory-secrets-plugin/blob/v0.2.0/artifactory.go#L80-L89 EDIT: There was some information in https://jfrog.atlassian.net/browse/RTFACT-15293?focusedCommentId=66023 that indicates that the tokens are "successfully" (200) revoked, and removed from the token list, but that they still work. I consider this to be a serious problem, but this issue was closed (deferred). Perhaps @alexhung can check into this on their side? |
@TJM Thanks for bringing this to my attention. I'll take a quick look. |
Thanks for looking into this. It also rather invalidates the point of this Vault plugin somewhat if tokens that Vault revokes live on till the Expiry. Let me know if I can help in any way. |
In Artifactory token id I guess there is a bug in Artifactory that is not respecting the passing of |
@apr-1985 From my (albeit very quick) testing in 7.49.3, setting the When I create a token with {
"code": "BAD_REQUEST",
"message": "Token not revocable",
"detail": "Token not revocable. Token expirationTimeMillis: 1673028200098, issuedAtMillis: 1673027300098, revocableExpiryThresholdMillis: 21600000"
} |
Thanks @alexhung I will try and get a demo licence next week and test. |
FWIW, I tested this using the same version of Vault and Artifactory, but was unable to reproduce. I set the lease time to 5m so I didn't have to wait quite as long, but as soon as the lease expired, I saw this in the logs:
... then immediately attempted to use it:
So, I think the problem is that for some reason tokens are not being properly revoked on your system. I don't think this is a problem with the plugin itself. It may be the initial admin token does not have the ability to revoke tokens by ID or it may be that there is something else. I think once we solve the error on rotation in #23 this one will resolve itself. The "revoke" (DELETE) token command is the same for the end of a lease and rotating an admin token. |
Artifactory version: 7.33.12
Vault Version: 1.12.2
Artifactory Plugin version: 0.2.0
I have set the Artifactory vault plugin following the instructions here https://www.jfrog.com/confluence/display/JFROG/Hashicorp+Vault+Artifactory+Secrets+Plugin
However when I request a token with a 1h lease even though the plugin returns the lease is for 1h it is valid of 1 YEAR in Artifactory.
Token has a lease_duration of 1h
But in Artifactory the token lives for a year
The text was updated successfully, but these errors were encountered: