Merge pull request ceph#55860 from ceph/add-multi-cluster-token-ttl

mgr/dashboard: Add multi cluster token ttl


Reviewed-by: Nizamudeen A <[email protected]>

Author: aaSharma14

src/pybind/mgr/dashboard/controllers/auth.py

@@ -4,6 +4,7 @@
 import json
 import logging
 import sys
+from typing import Optional
 
 import cherrypy
 
@@ -30,16 +31,33 @@
     "pwdUpdateRequired": (bool, "Is password update required?")
 }
 
+AUTH_SCHEMA = {
+    "token": (str, "Authentication Token"),
+    "username": (str, "Username"),
+    "permissions": ({
+        "cephfs": ([str], "")
+    }, "List of permissions acquired"),
+    "pwdExpirationDate": (str, "Password expiration date"),
+    "sso": (bool, "Uses single sign on?"),
+    "pwdUpdateRequired": (bool, "Is password update required?")
+}
+
 
 @APIRouter('/auth', secure=False)
 @APIDoc("Initiate a session with Ceph", "Auth")
 class Auth(RESTController, ControllerAuthMixin):
     """
     Provide authenticates and returns JWT token.
     """
-    # pylint: disable=R0912
-
-    def create(self, username, password):
+    @EndpointDoc("Dashboard Authentication",
+                 parameters={
+                     'username': (str, 'Username'),
+                     'password': (str, 'Password'),
+                     'ttl': (int, 'Token Time to Live (in hours)')
+                 },
+                 responses={201: AUTH_SCHEMA})
+    def create(self, username, password, ttl: Optional[int] = None):
+        # pylint: disable=R0912
         user_data = AuthManager.authenticate(username, password)
         user_perms, pwd_expiration_date, pwd_update_required = None, None, None
         max_attempt = Settings.ACCOUNT_LOCKOUT_ATTEMPTS
@@ -60,7 +78,7 @@ def create(self, username, password):
                 logger.info('Login successful: %s', username)
                 mgr.ACCESS_CTRL_DB.reset_attempt(username)
                 mgr.ACCESS_CTRL_DB.save()
-                token = JwtManager.gen_token(username)
+                token = JwtManager.gen_token(username, ttl=ttl)
 
                 # For backward-compatibility: PyJWT versions < 2.0.0 return bytes.
                 token = token.decode('utf-8') if isinstance(token, bytes) else token

src/pybind/mgr/dashboard/controllers/multi_cluster.py

@@ -55,7 +55,8 @@ def _proxy(self, method, base_url, path, params=None, payload=None, verify=False
     @EndpointDoc("Authenticate to a remote cluster")
     def auth(self, url: str, cluster_alias: str, username: str,
              password=None, token=None, hub_url=None, cluster_fsid=None,
-             prometheus_api_url=None, ssl_verify=False, ssl_certificate=None):
+             prometheus_api_url=None, ssl_verify=False, ssl_certificate=None, ttl=None):
+
         try:
             hub_fsid = mgr.get('config')['fsid']
         except KeyError:
@@ -64,7 +65,8 @@ def auth(self, url: str, cluster_alias: str, username: str,
         if password:
             payload = {
                 'username': username,
-                'password': password
+                'password': password,
+                'ttl': ttl
             }
             cluster_token = self.check_cluster_connection(url, payload, username,
                                                           ssl_verify, ssl_certificate)
@@ -199,12 +201,13 @@ def set_config(self, config: object):
     @UpdatePermission
     # pylint: disable=W0613
     def reconnect_cluster(self, url: str, username=None, password=None, token=None,
-                          ssl_verify=False, ssl_certificate=None):
+                          ssl_verify=False, ssl_certificate=None, ttl=None):
         multicluster_config = self.load_multi_cluster_config()
         if username and password:
             payload = {
                 'username': username,
-                'password': password
+                'password': password,
+                'ttl': ttl
             }
 
             cluster_token = self.check_cluster_connection(url, payload, username,
@@ -290,6 +293,15 @@ def is_token_expired(self, jwt_token):
         current_time = time.time()
         return expiration_time < current_time
 
+    def get_time_left(self, jwt_token):
+        split_message = jwt_token.split(".")
+        base64_message = split_message[1]
+        decoded_token = json.loads(base64.urlsafe_b64decode(base64_message + "===="))
+        expiration_time = decoded_token['exp']
+        current_time = time.time()
+        time_left = expiration_time - current_time
+        return max(0, time_left)
+
     def check_token_status_expiration(self, token):
         if self.is_token_expired(token):
             return 1
@@ -303,7 +315,9 @@ def check_token_status_array(self, clusters_token_array):
             token = item['token']
             user = item['user']
             status = self.check_token_status_expiration(token)
-            token_status_map[cluster_name] = {'status': status, 'user': user}
+            time_left = self.get_time_left(token)
+            token_status_map[cluster_name] = {'status': status, 'user': user,
+                                              'time_left': time_left}
 
         return token_status_map
 

src/pybind/mgr/dashboard/frontend/src/app/ceph/cluster/multi-cluster/multi-cluster-form/multi-cluster-form.component.html

@@ -188,6 +188,24 @@
                   i18n>This field is required.</span>
           </div>
         </div>
+        <div class="form-group row"
+             *ngIf="!remoteClusterForm.getValue('showToken') && action !== 'edit'">
+          <label class="cd-col-form-label"
+                 for="ttl"
+                 i18n>Login Expiration</label>
+          <div class="cd-col-form-input">
+            <select class="form-select"
+                    id="ttl"
+                    formControlName="ttl"
+                    name="ttl">
+              <option value="1">1 day</option>
+              <option value="7">1 week</option>
+              <option value="15"
+                      [selected]="true">15 days</option>
+              <option value="30">30 days</option>
+            </select>
+          </div>
+        </div>
         <div class="form-group row"
              *ngIf="action !== 'edit'">
           <div class="cd-col-form-offset">

src/pybind/mgr/dashboard/frontend/src/app/ceph/cluster/multi-cluster/multi-cluster-form/multi-cluster-form.component.ts

@@ -141,6 +141,7 @@ export class MultiClusterFormComponent implements OnInit, OnDestroy {
         ]
       }),
       ssl: new FormControl(false),
+      ttl: new FormControl(15),
       ssl_cert: new FormControl('', {
         validators: [
           CdValidators.requiredIf({
@@ -178,6 +179,10 @@ export class MultiClusterFormComponent implements OnInit, OnDestroy {
     this.activeModal.close();
   }
 
+  convertToHours(value: number): number {
+    return value * 24; // Convert days to hours
+  }
+
   onSubmit() {
     const url = this.remoteClusterForm.getValue('remoteClusterUrl');
     const updatedUrl = url.endsWith('/') ? url.slice(0, -1) : url;
@@ -186,7 +191,9 @@ export class MultiClusterFormComponent implements OnInit, OnDestroy {
     const password = this.remoteClusterForm.getValue('password');
     const token = this.remoteClusterForm.getValue('apiToken');
     const clusterFsid = this.remoteClusterForm.getValue('clusterFsid');
+    const prometheusApiUrl = this.remoteClusterForm.getValue('prometheusApiUrl');
     const ssl = this.remoteClusterForm.getValue('ssl');
+    const ttl = this.convertToHours(this.remoteClusterForm.getValue('ttl'));
     const ssl_certificate = this.remoteClusterForm.getValue('ssl_cert')?.trim();
 
     const commonSubscribtion = {
@@ -212,7 +219,7 @@ export class MultiClusterFormComponent implements OnInit, OnDestroy {
       case 'reconnect':
         this.subs.add(
           this.multiClusterService
-            .reConnectCluster(updatedUrl, username, password, token, ssl, ssl_certificate)
+            .reConnectCluster(updatedUrl, username, password, token, ssl, ssl_certificate, ttl)
             .subscribe(commonSubscribtion)
         );
         break;
@@ -227,8 +234,10 @@ export class MultiClusterFormComponent implements OnInit, OnDestroy {
               token,
               window.location.origin,
               clusterFsid,
+              prometheusApiUrl,
               ssl,
-              ssl_certificate
+              ssl_certificate,
+              ttl
             )
             .subscribe(commonSubscribtion)
         );

src/pybind/mgr/dashboard/frontend/src/app/ceph/cluster/multi-cluster/multi-cluster-list/multi-cluster-list.component.html

@@ -61,3 +61,24 @@ <h4 class="mt-3">This cluster is already managed by cluster -
   </a>
 </ng-template>
 
+<ng-template #durationTpl
+             let-column="column"
+             let-value="value"
+             let-row="row">
+  <span *ngIf="row.remainingTimeWithoutSeconds > 0 && row.cluster_alias !== 'local-cluster'">
+    <i *ngIf="row.remainingDays < 8"
+       i18n-title
+       title="Cluster's token is about to expire"
+       [class.icon-danger-color]="row.remainingDays < 2"
+       [class.icon-warning-color]="row.remainingDays < 8"
+       class="{{ icons.warning }}"></i>
+    <span title="{{ value | cdDate }}">{{ row.remainingTimeWithoutSeconds / 1000 | duration }}</span>
+  </span>
+  <span *ngIf="row.remainingTimeWithoutSeconds <= 0 && row.remainingDays <=0 && row.cluster_alias !== 'local-cluster'">
+    <i i18n-title
+       title="Cluster's token has expired"
+       class="{{ icons.danger }}"></i>
+    <span class="text-danger">Token expired</span>
+  </span>
+  <span *ngIf="row.cluster_alias === 'local-cluster'">N/A</span>
+</ng-template>

src/pybind/mgr/dashboard/frontend/src/app/ceph/cluster/multi-cluster/multi-cluster-list/multi-cluster-list.component.ts

@@ -19,7 +19,6 @@ import { MultiCluster } from '~/app/shared/models/multi-cluster';
 import { Router } from '@angular/router';
 import { CookiesService } from '~/app/shared/services/cookie.service';
 import { Observable, Subscription } from 'rxjs';
-import { SettingsService } from '~/app/shared/api/settings.service';
 
 @Component({
   selector: 'cd-multi-cluster-list',
@@ -31,7 +30,8 @@ export class MultiClusterListComponent implements OnInit, OnDestroy {
   table: TableComponent;
   @ViewChild('urlTpl', { static: true })
   public urlTpl: TemplateRef<any>;
-
+  @ViewChild('durationTpl', { static: true })
+  durationTpl: TemplateRef<any>;
   private subs = new Subscription();
   permissions: Permissions;
   tableActions: CdTableAction[];
@@ -50,7 +50,6 @@ export class MultiClusterListComponent implements OnInit, OnDestroy {
 
   constructor(
     private multiClusterService: MultiClusterService,
-    private settingsService: SettingsService,
     private router: Router,
     public actionLabels: ActionLabelsI18n,
     private notificationService: NotificationService,
@@ -95,15 +94,25 @@ export class MultiClusterListComponent implements OnInit, OnDestroy {
     this.subs.add(
       this.multiClusterService.subscribe((resp: object) => {
         if (resp && resp['config']) {
+          this.hubUrl = resp['hub_url'];
+          this.currentUrl = resp['current_url'];
           const clusterDetailsArray = Object.values(resp['config']).flat();
           this.data = clusterDetailsArray;
           this.checkClusterConnectionStatus();
+          this.data.forEach((cluster: any) => {
+            cluster['remainingTimeWithoutSeconds'] = 0;
+            if (cluster['ttl'] && cluster['ttl'] > 0) {
+              cluster['ttl'] = cluster['ttl'] * 1000;
+              cluster['remainingTimeWithoutSeconds'] = this.getRemainingTimeWithoutSeconds(
+                cluster['ttl']
+              );
+              cluster['remainingDays'] = this.getRemainingDays(cluster['ttl']);
+            }
+          });
         }
       })
     );
 
-    this.managedByConfig$ = this.settingsService.getValues('MANAGED_BY_CLUSTERS');
-
     this.columns = [
       {
         prop: 'cluster_alias',
@@ -138,6 +147,12 @@ export class MultiClusterListComponent implements OnInit, OnDestroy {
         prop: 'user',
         name: $localize`User`,
         flexGrow: 2
+      },
+      {
+        prop: 'ttl',
+        name: $localize`Token expires`,
+        flexGrow: 2,
+        cellTemplate: this.durationTpl
       }
     ];
 
@@ -149,21 +164,35 @@ export class MultiClusterListComponent implements OnInit, OnDestroy {
     );
   }
 
-  ngOnDestroy() {
+  ngOnDestroy(): void {
     this.subs.unsubscribe();
   }
 
+  getRemainingDays(time: number): number {
+    if (time === undefined || time == null) {
+      return undefined;
+    }
+    if (time < 0) {
+      return 0;
+    }
+    const toDays = 1000 * 60 * 60 * 24;
+    return Math.max(0, Math.floor(time / toDays));
+  }
+
+  getRemainingTimeWithoutSeconds(time: number): number {
+    return Math.floor(time / (1000 * 60)) * 60 * 1000;
+  }
+
   checkClusterConnectionStatus() {
     if (this.clusterTokenStatus && this.data) {
       this.data.forEach((cluster: MultiCluster) => {
-        const clusterStatus = this.clusterTokenStatus[cluster.name.trim()];
-
+        const clusterStatus = this.clusterTokenStatus[cluster.name];
         if (clusterStatus !== undefined) {
           cluster.cluster_connection_status = clusterStatus.status;
+          cluster.ttl = clusterStatus.time_left;
         } else {
           cluster.cluster_connection_status = 2;
         }
-
         if (cluster.cluster_alias === 'local-cluster') {
           cluster.cluster_connection_status = 0;
         }