-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: a new option for configuring TTL of jwt tokens #8302
Conversation
/cc @vedant15 this PR adds the functionality for configuring TTL of jwt tokens. Unlike simple tokens, jwt tokens' TTL won't be extended by RPCs so clients need to retry after the expiration. |
@mitake will the client automatically acquire a new JWT token if the current one expires? Also, this probably needs a test case; I can't find where |
@heyitsanthony yes, jwt-go checks the expiration with this flow |
@mitake Do we want to include this in 3.3? Otherwise, we can move this to 3.4. Thanks. |
@gyuho I think it is not an emergent stuff so moving to 3.4 is ok. |
@gyuho updated for an e2e test case, could you take a look? |
This commit adds a new option of --auth-token, ttl, for configuring TTL of jwt tokens. It can be specified like this: ``` --auth-token jwt,pub-key=<pub key path>,priv-key=<priv key path>,sign-method=<sign method>,ttl=5m ``` In the above case, TTL will be 5 minutes.
rebased on the latest master |
So, if no TTL given, does this defaults to 5-min? Is there any specific reason? |
No specific reason for now. If you think we should change, please let me know. |
Would it be breaking change, if previous behavior is auth token never expires? I am ok with either way. Maybe highlight this change more loud around configuration.md and etcdmain/help.go? |
It isn't a breaking change. clientv3 automatically refresh the expired token so existing etcd users won't be aware about this change. It is ensured in the test https://github.com/coreos/etcd/pull/8302/files#diff-4e20b6b68ada25d636aa265f49dcfa19 |
Oh, it will be just assigned a new token. Makes sense. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm on test passes.
This commit adds a new option of --auth-token, ttl, for configuring
TTL of jwt tokens. It can be specified like this:
In the above case, TTL will be 5 minutes.
/cc @fanminshi