Bug 1384946

Summary: Prevent usage of service account OAuth tokens for external access
Product: OpenShift Container Platform Reporter: Jaspreet Kaur <jkaur>
Component: RFEAssignee: Mo <mkhan>
Status: CLOSED CANTFIX QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aos-bugs, jkaur, jliggitt, jokerman, mfojtik, mkhan, mmccomas, pweil, rhowe, simon.gunzenreiner, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-26 15:36:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaspreet Kaur 2016-10-14 12:03:41 UTC 
3. What is the nature and description of the request?

 Prevent usage of service account OAuth tokens for external access

4. Why does the customer need this? (List the business requirements here)

 
Service account tokens currently have no validity period. This is troublesome from a security point of view, because it allows a user to copy such a token, and use it from outside of the platform. While in some cases this is justified, for most cases, for cases where it is not identified as OK, it should be prevented. Otherwise, even people that leave the company could keep using such a token for access to the platform.

5. How would the customer like to achieve this? (List the functional requirements here)

 We would like to maintain a whitelist (to be defined by the administrator) of service accounts which can access the platform from externally (to the platform).

6. For each functional requirement listed in question 5, specify how Red Hat

and the customer can test to confirm the requirement is successfully implemented.

 yes