DescriptionJoel Rosental R.
2017-06-13 11:10:30 UTC
1) Proposed title of this feature request:
Support for granting temporary access to users.
3) What is the nature and description of the request?
As a customer I want to give temporary access out to some users / service accounts by assigning maybe a token which is valid for a specified amount of time.
4) Why does the customer need this? (List the business requirements here)
There are application support teams that need the ability to request temporary access, it is a standard that permanent admin access is not given out, only read-only.
5) How would the customer like to achieve this? (List the functional requirements here)
A service account token or rolebinding timeout
8) Does the customer have any specific timeline dependencies?
No, we have worked around the issue but are keen to do it native within OpenShift.
11) Would the customer be able to assist in testing this functionality if implemented?
Yes.
Believe this was addressed with this PR: https://github.com/openshift/origin/pull/14784
Which allows overriding max access token age per OAuthClient.
OAuthClient object gains a new field: accessTokenMaxAgeSeconds
When absent, the master-config value is used
When set to 0, tokens issued for that client do not expire
When set to a value > 0, tokens issued for that client are given the specified expiration time