Bug 1919979
| Summary: | [RFE] Global Registration: Allow invalidating all JWT registration tokens for a user | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Kenny Tordeurs <ktordeur> |
| Component: | Registration | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | NEW --- | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.9.0 | CC: | ahumbe, lstejska, mhulan, rlavi, sokeeffe |
| Target Milestone: | Unspecified | Keywords: | EasyFix, FutureFeature, RFE, Triaged |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kenny Tordeurs
2021-01-25 13:59:13 UTC
In 6.9, there won't be a built-in way, but we can provide a KCS with the following instructions to invalidate all user's JWTs. Let's assume there's a user with login admin who generated at least one registration command. Therefore it has a jwt_secret stored in our database that is used to decode/verify the token. To invalidate all registration commands (or more precisely all JWT ever generated for this user) perform the following.
On the Satellite server:
1. run `foreman-rake console`
2. User.find_by_login('admin').jwt_secret.destroy
3. you should see the JWT printed out and the console expecting another command, type `exit`
If you instead see NoMethodError: undefined method `destroy' for nil:NilClass, it means the user didn't have the JWT secret stored. Meaning they either didn't render any registration command or their secret was already deleted. For debugging purposes, you can simply run User.find_by_login('admin').jwt_secret and see if the secret exists or not. nil means it does not exist.
I'm keeping this open as an RFE for future versions though. In 6.10 the JWT will be scoped for registration purposes only, however we may still consider adding a way to reset the secret to the application. I'd suggest to backlog.
Kenny, would you be able to create such KCS based on the information provided here?
KCS shipped live -> https://access.redhat.com/solutions/5767701 Created redmine issue https://projects.theforeman.org/issues/34246 from this bug Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you. Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you. |