Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install #324

sttts · 2020-08-21T09:17:50Z

The annotation oauth-apiserver.openshift.io/secure-token-storage: true set on the config/v1 apiserver object make oauth-apiserver deeply log oauth tokens, noth access and authorize.

This requires that there are no non-sha256 tokens in the system. For 4.6 installs this is guaranteed.

After downgrade to 4.5 there is a controller removing the annotation.

After upgrade from 4.5, the annotation is not set. The admin can set it manually after having made sure that no non-sha256 tokens exist.

For upgrade to 4.7, non-sha256 tokens must not exist. If they do, the upgrade will be blocked by the auth operator (to be implemented).

sttts · 2020-08-21T10:15:05Z

CI is down

/retest

sttts · 2020-08-21T10:26:01Z

manifests/02_config.cr.yaml

@@ -4,5 +4,7 @@ metadata:
  name: cluster
  annotations:
    release.openshift.io/create-only: "true"
+    # this flag is not set for a cluster coming from 4.5 via upgrade. Hence, 4.5 clusters will keep supporting non-sha256 tokens.
+    oauth-apiserver.openshift.io/secure-token-storage: "true"


if downgrade from fresh 4.6 cluster is possible. We have to add removal of this annotation to the 4.5 operator.

Is 'fresh 4.6 install' a must requirement? Can we configure 'oauth-apiserver.openshift.io/secure-token-storage: "true"' manually after upgrading OCP4.5 to OCP4.6?

If you can guarantee that you don't have old oauth tokens (those without sha256- prefix) in the system, yes you can technically set this annotation.

Thanks for your comment. I will try to test this patch and feed back later.

how is it going?

Thanks. The patch works well. I confirmed we can monitor events of creating/deleting oauthaccesstokens. So we think we can monitor login/logout events using this feature. But we are testing this patch now and it will take some time to complete. Please wait a moment for further feedback.

We don't have additional comments. This patch works fine as we expected. Thanks.

sttts · 2020-08-25T15:43:34Z

/retest

openshift-ci-robot · 2020-09-15T11:35:24Z

@sttts: This pull request references Bugzilla bug 1878648, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.6.0) matches configured target release for branch (4.6.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

p0lyn0mial · 2020-09-15T12:51:46Z

pkg/operator/starter.go

+		return err
+	}
+
+	// TODO(4.7): switch over to secure access-token logging by default and delete old non-sha256 tokens


who is going to delete old non-sha256 tokens?

We will block upgrade. To be done.

pkg/operator/starter.go

sttts · 2020-09-16T12:08:56Z

/retest

openshift-ci-robot · 2020-09-16T12:12:57Z

@sttts: This pull request references Bugzilla bug 1878648, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.6.0) matches configured target release for branch (4.6.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

sttts · 2020-09-16T15:04:57Z

/retest

sttts · 2020-09-17T06:44:37Z

/retest

sttts · 2020-09-17T14:07:58Z

/retest

sttts · 2020-09-18T10:26:42Z

/retest

sttts · 2020-09-18T12:39:32Z

/retest

GCP errors.

sttts · 2020-09-21T14:02:54Z

Seeing --audit-policy-file=/var/run/configmaps/audit/secure-oauth-storage-default.yaml in the oauth-apiserver deployment.

/hold cancel

sttts · 2020-09-21T16:39:27Z

/retest

sttts · 2020-09-21T19:29:46Z

/retest

tkashem · 2020-09-21T19:30:31Z

/lgtm

openshift-ci-robot · 2020-09-21T19:30:56Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2020-09-21T21:27:51Z

/retest