New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install #324
Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install #324
Conversation
CI is down /retest |
manifests/02_config.cr.yaml
Outdated
@@ -4,5 +4,7 @@ metadata: | |||
name: cluster | |||
annotations: | |||
release.openshift.io/create-only: "true" | |||
# this flag is not set for a cluster coming from 4.5 via upgrade. Hence, 4.5 clusters will keep supporting non-sha256 tokens. | |||
oauth-apiserver.openshift.io/secure-token-storage: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if downgrade from fresh 4.6 cluster is possible. We have to add removal of this annotation to the 4.5 operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is 'fresh 4.6 install' a must requirement? Can we configure 'oauth-apiserver.openshift.io/secure-token-storage: "true"' manually after upgrading OCP4.5 to OCP4.6?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you can guarantee that you don't have old oauth tokens (those without sha256-
prefix) in the system, yes you can technically set this annotation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your comment. I will try to test this patch and feed back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how is it going?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. The patch works well. I confirmed we can monitor events of creating/deleting oauthaccesstokens. So we think we can monitor login/logout events using this feature. But we are testing this patch now and it will take some time to complete. Please wait a moment for further feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have additional comments. This patch works fine as we expected. Thanks.
/retest |
@sttts: This pull request references Bugzilla bug 1878648, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
61ccfc0
to
8da31ae
Compare
8da31ae
to
c736aa0
Compare
return err | ||
} | ||
|
||
// TODO(4.7): switch over to secure access-token logging by default and delete old non-sha256 tokens |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
who is going to delete old non-sha256 tokens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will block upgrade. To be done.
c736aa0
to
969c134
Compare
969c134
to
f2cbbcf
Compare
/retest |
@sttts: This pull request references Bugzilla bug 1878648, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
2 similar comments
/retest |
/retest |
/retest |
/retest GCP errors. |
Seeing /hold cancel |
/retest |
1 similar comment
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts, tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
17 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@sttts: All pull requests linked via external trackers have merged:
Bugzilla bug 1878648 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The annotation
oauth-apiserver.openshift.io/secure-token-storage: true
set on the config/v1 apiserver object make oauth-apiserver deeply log oauth tokens, noth access and authorize.This requires that there are no non-sha256 tokens in the system. For 4.6 installs this is guaranteed.
After downgrade to 4.5 there is a controller removing the annotation.
After upgrade from 4.5, the annotation is not set. The admin can set it manually after having made sure that no non-sha256 tokens exist.
For upgrade to 4.7, non-sha256 tokens must not exist. If they do, the upgrade will be blocked by the auth operator (to be implemented).