Bug #16736

Updated by Peter Amstutz about 1 year ago

Add From chat:

Peter Amstutz:
it would be
a new option API.MaximumTokenLifetime:

* If no expiration time is given in the
security hole to create call, it is the "maximum" expiration (new configuration option API.MaximumTokenLifetime) a token where T2 > T1
* For regular users, so we don't have to worry so much about using a stolen token expires_at is clamped to MaximumTokenLifetime for create/update create a new token
* Admins can create tokens with because it wouldn't grant any expiration time. extra time
* Tokens created however we still want to run a container do not disallow listing tokens, because you could steal other tokens
unless the listing hides tokens that
have a set expire time (because it will expire when longer lifetime than the container ends) current one
* Tokens created for use on a shell node by arvados-login-sync script have max lifetime, and are rotated by the script on some interval (like MaximumTokenLifetime/2)

Tokens created through login use Login.TokenLifetime (existing behavior).