JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 13

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • It is not required to use Vault to connect to an LDAP Directory Service as there is a built-in JS7 - LDAP Identity Service for this purpose.
  • The authentication method has to be added to Vault.
    • The path of the Authentication Method has to be added to the JOC Cockpit Identity Service configuration.
  • The VAULT Identity Service Type has to be used that implies that
    • user accounts are managed with Vault.
    • user accounts are added to JOC Cockpit to allow assignment of roles:
      • user accounts in Vault an JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • no passwords are managed by JOC Cockpit.

Tokens

When a user logs in to JOC Cockpit then user credentials are forwarded to the Vault server that authenticates the user and returns an access token.

  • Vault access tokens are created with a restriction of the
    • time to live (TTL)
      • the access token will expire after the given period,
      • the Identity Service renews the access token 60s before expiration, this step is performed for an arbitrary number of renewals. This requires the Vault permission self to renew a token by the token owner.
    • maximum time to live
      • the access token's overall lifetime is limited, no renewals can take place after the specified period.
  • If an access token cannot be renewed by the Identity Service then the user is forced to login and to specify credentials.
    • This happens in case that the maximum TTL is exceeded and in case that the token is revoked.
    • Vault administrators should check for reasonable values of the TTL, maybe not less than 300s, and the maximum TTL, maybe at least 15 minutes, as otherwise users would have to repeatedly login quite frequently.
  • Independently from Vault the JOC Cockpit handles the idle timeout of user sessions.
    • If the idle timeout is exceeded then the user session is terminated.
    • The Identity Service tries to revoke the access token. This requires the Vault permission self to revoke a token by the token owner. 
  • The Identity Service does not make use of Vault child tokens.

Identity Service Configuration

...