Role = Node signup tokens do not last the specified --ttl=timeperiod

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

16.98k stars 1.71k forks source link

Role = Node signup tokens do not last the specified --ttl=timeperiod #660

Closed jeremyd closed 7 years ago

jeremyd commented 7 years ago

I'm trying to create a long lasting token for node signup > 1 month or so. Everytime I use a value it says it's doing it:

Please note:
  - This invitation token will expire in 599940 minutes

However, the token is actually set to expire more like in 30 min.

Token                                Role       Expiry Time (UTC)
-----                                ----       -----------------
xxx     Node       23 Dec 16 21:17 UTC

kontsevoy commented 7 years ago

@jeremyd which backend are you using? etcd, local (default) or DynamoDB?

jeremyd commented 7 years ago

Using etcd

On Fri, Dec 23, 2016, 4:17 PM Ev Kontsevoy notifications@github.com wrote:

@jeremyd https://github.com/jeremyd which backend are you using? etcd, local (default) or DynamoDB?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gravitational/teleport/issues/660#issuecomment-269059411, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAP6J9OkQmOcFYK3TR4P4kQUnBUEiZqks5rLGSJgaJpZM4LVD4O .

kontsevoy commented 7 years ago

@klizhentas can you take a look plz? you're ze etcd masta.

jeremyd commented 7 years ago

I tried the same test in 1.3.2 thinking this fix would have landed, but I get the same results. My tokens do not last the specified ttl (using etcd2 backend). I assume this code made it into 1.3.2 judging from the timeline but .. perhaps the committed fix wasn't enough?

klizhentas commented 7 years ago

the fix is on the client, so you have to make sure you have new tctl as well.

jeremyd commented 7 years ago

So I installed this via the release tgz. It has tctl and all the binaries, all version 1.3.2.. Then I run tctl on the same server where I install teleport.

teleport version                                                              
WARN[0000] syslog not available. reverting to stderr     file=utils/cli.go:52 func=utils.InitLoggerCLI
Teleport v1.3.2 git:v1.3.2-0-g33044f6
# tctl version
WARN[0000] syslog not available. reverting to stderr     file=utils/cli.go:52 func=utils.InitLoggerCLI
Teleport v1.3.2 git:v1.3.2-0-g33044f6

jeremyd commented 7 years ago

I'm reading through the code, and I think maybe it just doesn't do the conversion of TTL into expiration. When I dump etcd, the expiration field shows the time 30 min from now. I'm not seeing how this field gets set from the TTL yet..

klizhentas commented 7 years ago

Are you sure it's in 1.3.2? I've landed it in master, but not sure if it has landed in 1.3.2 really

jeremyd commented 7 years ago

I'm not sure no .. I was basing this on the time the commit was made. (will try to check harder)

kontsevoy commented 7 years ago

This is not in 1.3.2

jeremyd commented 7 years ago

Oh, darn, it didn't make the release. OK cool, I'll just compile it up then I suppose.. Thanks!

kontsevoy commented 7 years ago

@jeremyd yeah, you can just apply the patch yourself to 1.3.2 codebase. master is not recommended for production use.