Skip to content

[BACKPORT] Limit token expiry to 1 hour maximum (#38244) #38392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 5, 2019
Merged

[BACKPORT] Limit token expiry to 1 hour maximum (#38244) #38392

merged 1 commit into from
Feb 5, 2019

Conversation

@bizybot
Copy link
Contributor

@bizybot bizybot commented Feb 5, 2019
edited
Loading

We mention in our documentation for the token
expiration configuration maximum value is 1 hour
but do not enforce it. This commit adds max limit
to the TOKEN_EXPIRATION setting.

Note: Since this is a backport and the min max
time value support was not there in 6.x, I have
selectively picked the change from Setting.
The changes were done for zen2.

@bizybot bizybot added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) backport labels Feb 5, 2019
@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 5, 2019

Pinging @elastic/es-security

@bizybot
Limit token expiry to 1 hour maximum (elastic#38244)
e6c9b83 
We mention in our documentation for the token
expiration configuration maximum value is 1 hour
but do not enforce it. This commit adds max limit
to the TOKEN_EXPIRATION setting.

Note: Since this is a backport and the min max
time value support was not there in 6.x, I have
selectively picked the change from Setting.
The changes were done for zen2.
@bizybot bizybot force-pushed the backport-token-expiry-limit branch from fc52246 to e6c9b83 Compare February 5, 2019 05:04
@bizybot bizybot requested review from jaymode and jkakavas February 5, 2019 05:04
@bizybot
Copy link
Contributor Author

bizybot commented Feb 5, 2019

Hi @jaymode, @jkakavas While backporting this change I found that the minMaxTimeValueParser was not
present in Setting class on 6.x. The change was introduced with zen2 and so I have selectively picked
the change here. Please take a look when you get some time. Thank you.

jkakavas
jkakavas approved these changes Feb 5, 2019
View reviewed changes
Copy link
Contributor

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Yogesh, I see no reason for not cherry picking the minMaxTimeValueParser to 6.x

@bizybot bizybot merged commit c5bccb1 into elastic:6.x Feb 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkakavas jkakavas jkakavas approved these changes

@jaymode jaymode Awaiting requested review from jaymode

Assignees

No one assigned

Labels

backport :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bizybot @elasticmachine @jkakavas