Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add invalidating registration tokens #3595

Draft
wants to merge 8 commits into
base: master
Choose a base branch
from
Draft

Add invalidating registration tokens #3595

wants to merge 8 commits into from
+121 −0

Conversation

Lennonka
Copy link
Contributor

@Lennonka Lennonka commented Jan 17, 2025
edited
Loading

What changes are you introducing?

Adding 3 procedures for invalidation of the registration JSON Web Tokens (JWTs):

  1. Invalidating one's own JWTs
  2. Invalidating JWTs of one or more other users
  3. Invalidating JWTs of all users at once

All three user stories will be available in the UI, CLI, and API.

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

Redmine: 37936, 38138, ... (TBD)
RH Jira: SAT-27385 (private)

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

  • Currently under development

Checklists

  • I am okay with my commits getting squashed when you merge this PR.
  • I am familiar with the contributing guidelines.

Please cherry-pick my commits into: N/A

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 17, 2025
edited
Loading

The PR preview for b339ba8 is available at theforeman-foreman-documentation-preview-pr-3595.surge.sh

The following output files are affected by this PR:

show diff

show diff as HTML

@Lennonka Lennonka force-pushed the add-invalidating-reg-tokens branch from f6abc2f to 97ccbee Compare January 17, 2025 21:56
@Lennonka Lennonka added the Waiting for code Requires merge of related code in another repository before it can be merged label Jan 17, 2025
@Lennonka
Copy link
Contributor Author

@asteflova Can you please review this for placement and structure for now?

aneta-petrova
aneta-petrova reviewed Jan 20, 2025
View reviewed changes
guides/common/modules/proc_invalidating-jwts-of-all-users.adoc Outdated
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ curl
----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an Ansible module too?

Suggested change
----
----
.Ansible procedure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there will be. @girijaasoni Can you please confirm?

@aneta-petrova
Copy link
Member

@asteflova Can you please review this for placement and structure for now?

You're adding the procedures to a chapter named Managing users and roles. Except this is not quite about managing users, is it? If I look at the chapter introduction, it talks about creating accounts and managing their permissions. I don't think registration tokens are part of that.

Invalidating registration tokens is not something you're likely to want to do when managing user accounts and permissions. It's something you're more likely to want to do when/after registering hosts. So perhaps add this to Managing Hosts? Around the place where you now only add an external link?

girijaasoni
girijaasoni reviewed Jan 22, 2025
View reviewed changes
guides/common/modules/proc_invalidating-jwts-of-all-users.adoc
To use the CLI instead of the {ProjectWebUI}, see the xref:cli-invalidating-jwts-of-all-usersvvv[].
To use the API, see the xref:api-invalidating-jwts-of-all-users[].

.Prerequisites
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need view_users permissions for api or cli

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That depends on how we write the procedure. In some cases it can be beneficial to list users to find their IDs before they run the main command. In such case, they would need the view_users permission, wouldn't they?

I'll revisit this once I have the commands ready.

Lennonka
Lennonka commented Jan 24, 2025
View reviewed changes
guides/common/modules/proc_invalidating-jwts-of-all-users.adoc
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ hammer registration-tokens invalidate ???
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@girijaasoni What is the command to invalidate tokens for all users?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@girijaasoni girijaasoni girijaasoni left review comments

@aneta-petrova aneta-petrova aneta-petrova left review comments

Assignees
No one assigned
Labels
Waiting for code Requires merge of related code in another repository before it can be merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Lennonka @aneta-petrova @girijaasoni