Revoking kubectl / dex refresh tokens?
526 views
Skip to first unread message
Alexei Daniline
Dec 17, 2017, 8:30:33 AM12/17/17
to CoreOS User
Hi,
We had to revoke access rights to tectonic after an employee left. Tectonic is integrated with LDAP. What is the procedure for revoking existing dex refresh tokens? Apparently, disabling the account does not stop running kubectl with existing token in kube config file
Thank you,
Alexei Daniline
Rob Szumski
Dec 17, 2017, 3:20:41 PM12/17/17
to Alexei Daniline, CoreOS User
Hi Alexei,
Two things that you probably want to do:
1. Assign the user to a role with no access and remove other roles. Any RBAC changes are immediately effective, which will instantly remove access, even if the refresh token is active.
2. Revoke the token by deleting the user’s “RefreshToken” custom resource definition. You can access this in the Console under Admin -> CRDs. Inside of each object is a “claims” stanza that indicates the user and email the token was issued for.
Let me know how that goes or if you have any other questions.
- Rob
--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alexei Daniline
Dec 17, 2017, 7:02:40 PM12/17/17
to CoreOS User
Thank you!
I deleted the refresh token custom resource right away, but looks like the id token is valid for 24 hours. We had our RBAC mapping done based on LDAP group, and group comes from the id token, had to remove group mapping, and create separate mappings for each individual
Alan
Dec 20, 2017, 2:39:10 PM12/20/17
to CoreOS User
If you would like stricter id token refresh policy I would recommend you shorten the 'idTokens" refresh period to say 1 hour in the tectonic-identity configmap.
After you patch tectonic-identity, don't forget to patch tectonic-identity pods by triggering the update
expiry:
...
idTokens: "1h"
After you patch tectonic-identity, don't forget to patch tectonic-identity pods by triggering the update
kubectl patch deployment tectonic-identity \
--patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}" \
--namespace tectonic-system
This way once you revoke the user's token the existing token will only be available for an hour.
Reply all
Reply to author
Forward
0 new messages