Bug #16736
Updated by Peter Amstutz over 4 years ago
Add From chat: <pre> Peter Amstutz: it would be a new option API.MaximumTokenLifetime: * If no expiration time is given in the security hole to create call, it is the "maximum" expiration (new configuration option API.MaximumTokenLifetime) a token where T2 > T1 * For regular users, so we don't have to worry so much about using a stolen token expires_at is clamped to MaximumTokenLifetime for create/update create a new token * Admins can create tokens with because it wouldn't grant any expiration time. extra time * Tokens created however we still want to run a container do not disallow listing tokens, because you could steal other tokens unless the listing hides tokens that have a set expire time (because it will expire when longer lifetime than the container ends) current one * Tokens created for use on a shell node by arvados-login-sync script have max lifetime, and are rotated by the script on some interval (like MaximumTokenLifetime/2) Tokens created through login use Login.TokenLifetime (existing behavior). </pre>