Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange behaviour of dsameuser SSO token management when using ssoadm #141

Open
karelmaxa opened this issue Jul 24, 2023 · 1 comment
Open

Strange behaviour of dsameuser SSO token management when using ssoadm #141

karelmaxa opened this issue Jul 24, 2023 · 1 comment

Comments

@karelmaxa
Copy link
Member

Currently, every ssoadm operation performed by the amAdmin account creates two SSO tokens (amAdmin, dsameuser). The token for amAdmin is destroyed when the operation is finished CommandManager.java#L215, but the dsameuser token is not. These tokens are created as non-expiring, so the AM extends their validity until the shutdown, even though they are useless. In my opinion, these tokens should also be destroyed (or not created) because there is no use case for reusing them.
@pavelhoral
Copy link
Member

pavelhoral commented Jul 24, 2023
edited
Loading

There are more issues related to admin tokens... The latest issue was solved in #63, although my comment contained incorrect observation that admin tokens should not belong to CTS (storing admin tokens in CTS was a planned change for AM 14).

There are few points that needs to be addressed:

  • SSO Administration Tool (ssoadm) has to properly destroy its tokens - this is apparently not happening.
  • I am not sure if ssoadm really has to create a separate session for dsameuser (as stated in the original issue description).
  • It really does not make sense for AM server to manage admin token expiration for tokens that are created by a different process.

pavelhoral added a commit to orchitech/wrenam that referenced this issue Jul 25, 2023
@pavelhoral
Extend non-expiring sessions only for local sessions (WrenSecurity#141)
1e5c504
karelmaxa added a commit to orchitech/wrenam that referenced this issue Jul 25, 2023
@karelmaxa
Fix ssoadm dsameuser SSO token cleanup (WrenSecurity#141)
d9c5a56
karelmaxa pushed a commit to orchitech/wrenam that referenced this issue Jul 25, 2023
@pavelhoral @karelmaxa
Extend non-expiring sessions only for local sessions (WrenSecurity#141)
2ecc0bd
pavelhoral added a commit to orchitech/wrenam that referenced this issue Jul 25, 2023
@pavelhoral
Extend non-expiring sessions only for local sessions (WrenSecurity#141)
82f2a9b
karelmaxa added a commit that referenced this issue Jul 26, 2023
@karelmaxa
Merge pull request #143 from orchitech/fix-non-expiring-session-manag…
fecaa42 
…ement

Fix non expiring session management (#141)
harrdou pushed a commit to harrdou/wrenam that referenced this issue Oct 13, 2023
@karelmaxa @harrdou
Fix ssoadm dsameuser SSO token cleanup (WrenSecurity#141)
58f6cd9
harrdou pushed a commit to harrdou/wrenam that referenced this issue Oct 13, 2023
@pavelhoral @harrdou
Extend non-expiring sessions only for local sessions (WrenSecurity#141)
e4e3776
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pavelhoral @karelmaxa