Bug 1568456 - kibana-proxy not honoring oauth sessionMaxAgeSeconds
Summary: kibana-proxy not honoring oauth sessionMaxAgeSeconds
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.10.z
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-17 14:28 UTC by Borja Aranda
Modified: 2018-10-23 06:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-26 23:26:55 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Borja Aranda 2018-04-17 14:28:11 UTC
Description of problem:
kibana-proxy does not be honor the sessionConfig in master-config.yml.

Although the oauth is configured with a sessionMaxAgeSeconds greater than 3600 seconds, the kibana console always times out after 3600 seconds.

It doesn't seem to be related to the kibana-proxy oauthclient, as it retrieves the correct token and with the correct expiration time.

### oauthclient kibana-proxy
apiVersion: oauth.openshift.io/v1
kind: OAuthClient
metadata:
  creationTimestamp: 2018-04-03T08:31:00Z
  labels:
    logging-infra: support
  name: kibana-proxy
  resourceVersion: "1847494"
  selfLink: /apis/oauth.openshift.io/v1/oauthclients/kibana-proxy
  uid: 56922827-3719-11e8-ab2b-fa163ee6399e
redirectURIs:
- https://kibana.apps.mordor.quicklab.pnq2.cee.redhat.com
scopeRestrictions:
- literals:
  - user:info
  - user:check-access
  - user:list-projects
secret: qpDNJp11cCYVFLqLUJB1J6AUiHIB3j36exFGVgMNMIqhL4TXrHHZ8SB9YOi8cJ7r

### oauthaccesstoken 
apiVersion: oauth.openshift.io/v1
authorizeToken: OdxB7gbRxlNcT05oWdtqTQjV3AerKW8126Hb8fluMO0
clientName: kibana-proxy
expiresIn: 86400
kind: OAuthAccessToken
metadata:
  creationTimestamp: 2018-04-17T14:21:38Z
  name: LEthOz7n63g2JSgv_y80Rbn8z5BRQ6yUo4MkQsV1LG4
  resourceVersion: "6040021"
  selfLink: /apis/oauth.openshift.io/v1/oauthaccesstokens/LEthOz7n63g2JSgv_y80Rbn8z5BRQ6yUo4MkQsV1LG4
  uid: a4417f79-424a-11e8-b394-fa163ee6399e
redirectURI: https://kibana.apps.mordor.quicklab.pnq2.cee.redhat.com/auth/openshift/callback
scopes:
- user:info
- user:check-access
- user:list-projects
userName: cluster-admin
userUID: 8e426d52-3275-11e8-8103-fa163ee6399e

Version-Release number of selected component (if applicable):
openshift v3.9.14
EFK components: 3.9.14

How reproducible:
1. deploy EFK 3.9.14
2. configure master-config.yml and edit sessionMaxAgeSeconds with a value greater than 3600
3. restart api and controllers
4. kibana session ends after 3600 seconds.

Actual results:
kibana session times out

Expected results:
kibana session available for ${sessionMaxAgeSeconds} seconds.

Comment 1 Jeff Cantrill 2018-04-26 23:26:55 UTC
This is not a bug.  The proxy [1] which fronts Kibana has an expiration setting that is unrelated to the value defined in the master-config.  It can be explicitly set by modifying the logging-kibana environment variable to set it the desired value in millis.

[1] https://github.com/fabric8io/openshift-auth-proxy
[2] https://github.com/fabric8io/openshift-auth-proxy/blob/master/lib/config.js#L53


Note You need to log in before you can comment on or make changes to this bug.