Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add invalidating registration tokens #3595

Draft
wants to merge 8 commits into
base: master
Choose a base branch
from
+121 −0
Draft

Add invalidating registration tokens #3595

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
97ccbee
Add invalidating registration tokens
Lennonka Jan 7, 2025
ce2469f
Fix pop-up
Lennonka Jan 17, 2025
5ec1c0e
Fix xref
Lennonka Jan 17, 2025
67f3ac4
Add link to Building search queries
Lennonka Jan 24, 2025
a6c1be8
Move token invalidation to global registration
Lennonka Jan 24, 2025
9265c88
Reword confirmation window
Lennonka Jan 24, 2025
185ff49
Draft CLI commands
Lennonka Jan 24, 2025
b339ba8
Redraft API commands
Lennonka Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions guides/common/assembly_managing-users-and-roles.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,14 @@ include::modules/proc_creating-a-personal-access-token.adoc[leveloffset=+2]

include::modules/proc_revoking-a-personal-access-token.adoc[leveloffset=+2]

include::modules/con_invalidating-registration-tokens.adoc[leveloffset=+1]

include::modules/proc_invalidating-your-own-jwts.adoc[leveloffset=+2]

include::modules/proc_invalidating-jwts-of-other-users.adoc[leveloffset=+2]

include::modules/proc_invalidating-jwts-of-all-users.adoc[leveloffset=+2]

include::modules/con_creating-and-managing-user-groups.adoc[leveloffset=+1]

include::modules/con_user-groups.adoc[leveloffset=+2]
Expand Down
9 changes: 9 additions & 0 deletions guides/common/modules/con_invalidating-registration-tokens.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[id="invalidating-registration-tokens"]
= Invalidating registration tokens

When you generate a registration command in global host registration, {Project} also generates a unique JSON Web Token (JWT) that is used to authorize the registration call from a host to {ProjectServer}.
This JWT is bound to the user that generated the registration command.

Users can configure a custom validity duration for the JWT.
If the validity duration is too long or if the JWT has been compromised, the JWT poses a security concern.
To mitigate this concern, the {Project} administrator or users with adequate permissions can invalidate existing JWTs.
36 changes: 36 additions & 0 deletions guides/common/modules/proc_invalidating-jwts-of-all-users.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
[id="invalidating-jwts-of-all-users"]
= Invalidating JWTs of all users

You can invalidate all registration JSON Web Tokens of all users at once.

To use the CLI instead of the {ProjectWebUI}, see the xref:cli-invalidating-jwts-of-all-usersvvv[].
To use the API, see the xref:api-invalidating-jwts-of-all-users[].

.Prerequisites
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need view_users permissions for api or cli

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That depends on how we write the procedure. In some cases it can be beneficial to list users to find their IDs before they run the main command. In such case, they would need the view_users permission, wouldn't they?

I'll revisit this once I have the commands ready.

* Your {Project} user has a role that grants the `view_users` and `edit_users` permissions.

.Procedure
. In the {ProjectWebUI}, navigate to *Administer* > *Users*.
. Click *Invalidate JWTs for all users*.
. In the popup window, click *Confirm*.

Check failure on line 15 in guides/common/modules/proc_invalidating-jwts-of-all-users.adoc

View workflow job for this annotation

GitHub Actions / linter 

[vale] reported by reviewdog 🐶
[RedHat.CaseSensitiveTerms] Use 'pop-up' rather than 'popup'.

Raw Output:
{"message": "[RedHat.CaseSensitiveTerms] Use 'pop-up' rather than 'popup'.", "location": {"path": "guides/common/modules/proc_invalidating-jwts-of-all-users.adoc", "range": {"start": {"line": 15, "column": 10}}}, "severity": "ERROR"}

.Verification
* The {ProjectWebUI} displays the following message: `Successfully invalidated registration tokens for all users.`

[id="cli-invalidating-jwts-of-all-users"]
.CLI procedure
* Invalidate all registration tokens of all users by running Hammer:
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ hammer
----

[id="api-invalidating-jwts-of-all-users"]
.API procedure
* Invalidate all registration tokens of all users by calling the following API endpoint:
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ curl
----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an Ansible module too?

Suggested change
----
----
.Ansible procedure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there will be. @girijaasoni Can you please confirm?

36 changes: 36 additions & 0 deletions guides/common/modules/proc_invalidating-jwts-of-other-users.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
[id="invalidating-jwts-of-other-users"]
= Invalidating JWTs of other users

You can invalidate all registration JSON Web Tokens of one or more users.
Lennonka marked this conversation as resolved.
Show resolved Hide resolved

To use the CLI instead of the {ProjectWebUI}, see the xref:cli-invalidating-jwts-of-other-users[].
To use the API, see the xref:api-invalidating-jwts-of-other-users[].

.Prerequisites
* Your {Project} user has a role that grants the `view_users` and `edit_users` permissions.

.Procedure
. In the {ProjectWebUI}, navigate to *Administer* > *Users*.
. In the row of the user whose registration tokens you want to invalidate, from the actions menu, select *Invalidate JWTs*.
. In the popup window, click *Confirm*.

Check failure on line 15 in guides/common/modules/proc_invalidating-jwts-of-other-users.adoc

View workflow job for this annotation

GitHub Actions / linter 

[vale] reported by reviewdog 🐶
[RedHat.CaseSensitiveTerms] Use 'pop-up' rather than 'popup'.

Raw Output:
{"message": "[RedHat.CaseSensitiveTerms] Use 'pop-up' rather than 'popup'.", "location": {"path": "guides/common/modules/proc_invalidating-jwts-of-other-users.adoc", "range": {"start": {"line": 15, "column": 10}}}, "severity": "ERROR"}

.Verification
* The {ProjectWebUI} displays the following message: `Successfully invalidated registration tokens for _the user_.`

[id="cli-invalidating-jwts-of-other-users"]
.CLI procedure
* Invalidate all registration tokens of multiple users by running Hammer:
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ hammer
----

[id="api-invalidating-jwts-of-other-users"]
.API procedure
* Invalidate all registration tokens of multiple users by calling the following API endpoint:
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ curl
----
37 changes: 37 additions & 0 deletions guides/common/modules/proc_invalidating-your-own-jwts.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
[id="invalidating-your-own-jwts"]
= Invalidating your own JWTs

You can invalidate all registration JSON Web Tokens of the current user.

To use the CLI instead of the {ProjectWebUI}, see the xref:cli-invalidating-your-own-jwts[].
To use the API, see the xref:api-invalidating-your-own-jwts[].

.Prerequisites
* You are logged in to the {ProjectWebUI}.

.Procedure
. In the {ProjectWebUI}, click the user menu in the top bar and select *My Account*.
. Select the *Registration Tokens* tab.
. Click *Invalidate JWTs*.
. In the popup window, click *Confirm*.

Check failure on line 16 in guides/common/modules/proc_invalidating-your-own-jwts.adoc

View workflow job for this annotation

GitHub Actions / linter 

[vale] reported by reviewdog 🐶
[RedHat.CaseSensitiveTerms] Use 'pop-up' rather than 'popup'.

Raw Output:
{"message": "[RedHat.CaseSensitiveTerms] Use 'pop-up' rather than 'popup'.", "location": {"path": "guides/common/modules/proc_invalidating-your-own-jwts.adoc", "range": {"start": {"line": 16, "column": 10}}}, "severity": "ERROR"}

.Verification
* The {ProjectWebUI} displays the following message: `Successfully invalidated registration tokens.`

[id="cli-invalidating-your-own-jwts"]
.CLI procedure
* Invalidate all your registration tokens by running Hammer:
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ hammer
----

[id="api-invalidating-your-own-jwts"]
.API procedure
* Invalidate all your registration tokens by calling the following API endpoint:
+
[options="nowrap" subs="+quotes,attributes,verbatim"]
----
$ curl
----
4 changes: 4 additions & 0 deletions guides/common/modules/proc_registering-a-host.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,3 +135,7 @@ For more information, see the full API reference at `\https://{foreman-example-c

.Next steps
* To set up monitoring of outdated services and applications using Tracer, see {ManagingHostsDocURL}enabling-tracer-on-a-host_managing-hosts[Enabling Tracer on a host] in _{ManagingHostsDocTitle}_.

[role="_additional-resources"]
.Additional resources
* {AdministeringDocURL}invalidating-registration-tokens[Invalidating registration tokens] in _{AdministeringDocTitle}_
Loading