[ARVADOS] updated: 1.3.0-2958-g46fefa537

Git user git at public.arvados.org
Mon Aug 24 19:48:01 UTC 2020 

Summary of changes:
 doc/_config.yml                                    |  1 +
 doc/admin/scoped-tokens.html.textile.liquid        |  6 +++
 .../token-expiration-policy.html.textile.liquid    | 56 ++++++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 doc/admin/token-expiration-policy.html.textile.liquid

       via  46fefa537c9bf8c2835a5ae26bf77a8dfb3fe10f (commit)
      from  00e16fb980a0a234d5944ffb06c5614d19280921 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 46fefa537c9bf8c2835a5ae26bf77a8dfb3fe10f
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Mon Aug 24 16:47:47 2020 -0300

    16678: Adds documentation about feature usage on the Admin section.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/doc/_config.yml b/doc/_config.yml
index bbab3f307..d1c64c61d 100644
--- a/doc/_config.yml
+++ b/doc/_config.yml
@@ -162,6 +162,7 @@ navbar:
       - admin/migrating-providers.html.textile.liquid
       - user/topics/arvados-sync-groups.html.textile.liquid
       - admin/scoped-tokens.html.textile.liquid
+      - admin/token-expiration-policy.html.textile.liquid
     - Monitoring:
       - admin/logging.html.textile.liquid
       - admin/metrics.html.textile.liquid
diff --git a/doc/admin/scoped-tokens.html.textile.liquid b/doc/admin/scoped-tokens.html.textile.liquid
index 5bad5f25b..18578a78d 100644
--- a/doc/admin/scoped-tokens.html.textile.liquid
+++ b/doc/admin/scoped-tokens.html.textile.liquid
@@ -4,6 +4,12 @@ navsection: admin
 title: Securing API access with scoped tokens
 ...
 
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
+
 By default, Arvados API tokens grant unlimited access to a user account, and admin account tokens have unlimited access to the whole system.  If you want to grant restricted access to a user account, you can create a "scoped token" which is an Arvados API token which is limited to accessing specific APIs.
 
 One use of token scopes is to grant access to data, such as a collection, to users who do not have an Arvados accounts on your cluster.  This is done by creating scoped token that only allows getting a specific record.  An example of this is "creating a collection sharing link.":{{site.baseurl}}/sdk/python/cookbook.html#sharing_link
diff --git a/doc/admin/token-expiration-policy.html.textile.liquid b/doc/admin/token-expiration-policy.html.textile.liquid
new file mode 100644
index 000000000..7a3d79399
--- /dev/null
+++ b/doc/admin/token-expiration-policy.html.textile.liquid
@@ -0,0 +1,56 @@
+---
+layout: default
+navsection: admin
+title: Limiting user session's lifetime
+...
+
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
+
+Whenever a user authenticates to start a session on Workbench, a token is created that grants the user access to the Arvados API. This token has an expiration date that by default isn't set.
+
+Depending on the local security policies where any given Arvados cluster is installed, it may be needed to restrict these access tokens by giving them a default expiration date at creation time.
+
+For this very purpose, the site administrator can use the @Login.TokenLifetime@ configuration, assigning a token lifetime value that will be used for newly created tokens. When setting this value to zero, the feature is disabled.
+
+h2. Setting token's expiration
+
+Suppose that the organization's security policy requires that no user session should be valid for more than 12 hours from being created, the cluster configuration should be set like the following:
+
+<pre>
+Clusters:
+  zzzzz:
+    ...
+    Login:
+      TokenLifetime: 12h
+    ...
+</pre>
+
+This will force users to re-login every 12 hours and avoid any leaked token to be abused indefinitely.
+
+h2. Applying a policy to previously created tokens
+
+If you happen to have a previously working Arvados installation and need to set a token lifetime policy, chances are that the system has already issued user tokens without expiration. You can reset or remove these tokens using the Arvados API endpoints with the system root token, but we provide a couple of @rake@ tasks to make it easier:
+
+The @db:check_long_lived_tokens@ will list users owning tokens with no expiration date.
+
+<pre>
+# bundle exec rake db:check_long_lived_tokens
+Found 6 long-lived tokens from users:
+user2,user2 at example.com,zzzzz-tpzed-5vzt5wc62k46p6r
+admin,admin at example.com,zzzzz-tpzed-6drplgwq9nm5cox
+user1,user1 at example.com,zzzzz-tpzed-ftz2tfurbpf7xox
+</pre>
+
+To apply the currently configured policy to the non-expiring tokens, you need to execute the @db:fix_long_lived_tokens@ task.
+
+<pre>
+# bundle exec rake db:fix_long_lived_tokens
+Setting token expiration to: 2020-08-25 03:30:50 +0000
+6 tokens updated.
+</pre>
+
+NOTE: As there's no clear way to differentiate tokens created on user logins from other tokens, these rake tasks operate on the entire token collection so you may need to re-create special tokens, although tokens related to the system root user (@zzzzz-tpzed-000000000000000@) will be ignored.
\ No newline at end of file

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list