[
https://issues.apache.org/jira/browse/KNOX-3019?focusedWorklogId=909627&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909627
]
ASF GitHub Bot logged work on KNOX-3019:
----------------------------------------
Author: ASF GitHub Bot
Created on: 13/Mar/24 11:02
Start Date: 13/Mar/24 11:02
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #880:
URL: https://github.com/apache/knox/pull/880
## What changes were proposed in this pull request?
Implemented what's described in
[KNOX-3019](https://issues.apache.org/jira/browse/KNOX-3019):
- if `knox.token.exp.max-lifetime` is set to a negative value, tokens can be
renewed without a maximum lifetime check
- only non-expired tokens can be renewed
## How was this patch tested?
Updated current and added new JUnit tests.
Conducted manual testing. In both test rounds, the Token TTL was set to 60
seconds and the token renewal interval was 30 seconds
**1. Maximum lifetime set to 120 seconds**
```
<param>
<name>knox.token.exp.max-lifetime</name>
<value>120000</value>
</param>
<param>
<name>knox.token.exp.renew-interval</name>
<value>30000</value>
</param>
```
```
curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:02 GMT
...
{"access_token":"eyJqa3UiOiJo...cd3baa","managed":"true",...}
```
```
curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:17 GMT
...
{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:03.445+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323343445,"maxLifetimeLong":1710323403574}]}
```
```
export
KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoiaEZLVjIwMFRvUlpvZ3h2STZGVnZrODgxY3dsbzhUZHV2NlV4OTZZbmVhRSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJoRktWMjAwVG9SWm9neHZJNkZWdms4ODFjd2xvOFRkdXY2VXg5NlluZWFFIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyMzM0MywibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiODk2ZmEzNTctMmRiNC00MmVjLWI3MGEtOGE2M2ZlY2QzYmFhIn0.B83Nk8tdo_rsOWTJNHjYqYTkJ89vCaTqb1ICc_4stNl-lI2qd7WHA6vJ_5r-8VJ3m-DnnM4eYobiiCM7cYcX8pOdTcKKJtdxf71qTjHaAcLLEfsZrPTNqjRaOyyXYSMc4FhAHgZST_tzalqCZlRkEXmjb8ujKiSy4mjKsTp0kBr-YuzX7pFXYmTm-MHhJMtsgUkRMUJJ1U_f8idX1ey75JKiQHpo6pq3f05hdUxE0Sf3cIgdu26i61Fz2LP4HiLdyEC2D8AsgshG0gcJ3iO9219G5JE7L7wBk2srmF5FSifw5r6ame9mbPC6jf38ILnAjH98ZxtsvLVlyKoPg1VN5w"
```
```
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:35 GMT
...
{
"renewed": "true",
"expires": "1710323345043"
}
```
```
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
...
{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:05.043+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323345043,"maxLifetimeLong":1710323403574}]}
```
```
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:49:02 GMT
...
{
"renewed": "true",
"expires": "1710323372533"
}
```
```
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 400 Bad Request
Date: Wed, 13 Mar 2024 09:49:15 GMT
...
{
"renewed": "false",
"error": "The renewal limit for the token has been exceeded",
"code": 30
}
```
```
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:49:35 GMT
...
{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:32.533+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323372533,"maxLifetimeLong":1710323403574}]}$
```
As you can see, if maximum lifetime is configured, tokens cannot be renewed
after they reach that time (minus a 30-second hardcoded buffer).
**2. Maximum lifetime set to -1**
````
<param>
<name>knox.token.exp.max-lifetime</name>
<value>-1</value>
</param>
<param>
<name>knox.token.exp.renew-interval</name>
<value>30000</value>
</param>
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:09:39 GMT
...
{"access_token":"eyJqa3UiOiJodH...-rp3MD-O0g","token_id":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","managed":"true",...}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:09:50 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:39.105+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324639105,"maxLifetimeLong":-1}]}
````
````
export
KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoieUlFRFVtaEI3M2hxaG9vNmQ2LVRFMEtCTzVGNFYydzV6WU40MjZoMEZIbyIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJ5SUVEVW1oQjczaHFob282ZDYtVEUwS0JPNUY0VjJ3NXpZTjQyNmgwRkhvIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyNDYzOSwibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiMTlmMDA3NWUtOTNlZC00ZGJjLWEyZTYtZWU2YTgzMWQwMjVlIn0.CBiaq_8Z08zNKFgqMCdtbgJkwTBEzVoa73V1M6CisDKVnQwMv-PjnlMMHtikQshoBjH5vZqsPyOYw4YJRPGPli0oBoG06cBGxVEuJGrTUogr1Jhb9F5k6vjnPAuTWZHbJKw47kI9lr-7YHqfMAginFXEhT4WgEnHT_vUgDJBlP5ljZe6_mgKn91AE1U_Jf3QdTKCd2ZMO-ptpRbEbvc4hqcdMagb7Qc_gx6peetteFqJdGGN5ErqDHAuWHNbwod7wHg2P0iZw6CuDdZoRyuwiHSKTV0Y0GtH3azA7Uv3W97xCer28cq4Kp3fKMDUUUzW-77QpWzqbPpY-rp3MD-O0g"
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:14 GMT
...
{
"renewed": "true",
"expires": "1710324644107"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:19 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:44.107+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324644107,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:28 GMT
...
{
"renewed": "true",
"expires": "1710324658434"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:32 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:58.434+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324658434,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:41 GMT
...
{
"renewed": "true",
"expires": "1710324671849"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:49 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:11.849+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324671849,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:55 GMT
...
{
"renewed": "true",
"expires": "1710324685194"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:02 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:25.194+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324685194,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:15 GMT
...
{
"renewed": "true",
"expires": "1710324705093"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:17 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:45.093+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324705093,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:28 GMT
...
{
"renewed": "true",
"expires": "1710324718352"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:31 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:58.352+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324718352,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:46 GMT
...
{
"renewed": "true",
"expires": "1710324736987"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:50 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:16.987+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324736987,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:03 GMT
...
{
"renewed": "true",
"expires": "1710324753051"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:06 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:33.051+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324753051,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:20 GMT
...
{
"renewed": "true",
"expires": "1710324770295"
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:23 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:50.295+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324770295,"maxLifetimeLong":-1}]}
````
````
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 400 Bad Request
Date: Wed, 13 Mar 2024 10:12:56 GMT
...
{
"renewed": "false",
"error": "Expired tokens must not be renewed.",
"code": 90
}
````
````
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:13:02 GMT
...
{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:50.295+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324770295,"maxLifetimeLong":-1}]}
````
As this test proves, setting the maximum lifetime allows token renewal
operations as many times as one needs until the token was not expired. The
original token expiration was `2024-03-13T11:10:39`, and I could extend that up
until `2024-03-13T11:12:50` (more than 2 minutes) easily.
Issue Time Tracking
-------------------
Worklog Id: (was: 909627)
Remaining Estimate: 0h
Time Spent: 10m
> Allow tokens to be renewed any times
> ------------------------------------
>
> Key: KNOX-3019
> URL: https://issues.apache.org/jira/browse/KNOX-3019
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server, TokenGenerationUI
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Setting the TTL to {{-1}} results in tokens that never expire. If the TTL is
> configured to a positive number, renewing the token is the only way to extend
> its expiration time. By default, there is a cap on this event: a token cannot
> be renewed after it reaches the configured maximum lifetime (defaults to
> {{{}7 days{}}}).
> This task aims to provide end-users with a way to bypass this check and let
> tokens be renewed whenever they want. The logic would be similar to the
> {{Unlimited token}} handling: if the maximum lifetime is set to {{{}-1{}}},
> tokens would be subject to renewal without checking the maximum lifetime.
> Please note that token renewal still must be configured with a list of
> trusted users via the {{knox.token.renewer.whitelist}} configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
