public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-19 19:35:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add token hashing

Browse Source
This commit is contained in:
Billy Tat
2021-08-10 22:31:34 -07:00
parent adc1e14cd1
commit a29596901d
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.6/en/api/api-tokens/_index.md
+11 -1
View File
@@ -45,5 +45,15 @@ Admins can set a global TTL on Kubeconfig tokens. Once the token expires the kub
4. Edit the setting and set the value to desired duration in minutes.
_**Note:**_ This value cannot exceed max-ttl of API tokens.(`https://<Rancher-Server-IP/v3/settings/auth-token-max-ttl-minutes`). `auth-token-max-ttl-minutes` is set to 1440 (24 hours) by default. `auth-token-max-ttl-minutes would default to 0 allowing tokens to never expire`.
### Token Hashing
Users can enable token hashing, where tokens will undergo a one-way hash using the SHA256 algorithm. This is a non-reversible process, once enabled, this feature cannot be disabled. It is advisable to take backups prior to enabling and/or evaluated in a test environment first.
To enable token hashing, refer to [this section]({{<baseurl>}}/rancher/v2.6/en/installation/resources/feature-flags).
This feature will affect all tokens which include, but are not limited to, the following:
- Kubeconfig tokens
- Bearer tokens API keys/calls
- Tokens used by internal operations
content/rancher/v2.6/en/installation/resources/feature-flags/_index.md
+2
View File
@@ -28,6 +28,7 @@ For example, if you install Rancher, then set a feature flag to true with the Ra
The following is a list of the feature flags available in Rancher:
- `token-hashing`: This feature enables one-way [hashing of tokens]({{<baseurl>}}/rancher/v2.6/en/api/api-tokens) and cannot be disabled once enabled.
- `fleet`: Rancher comes with [Fleet]({{<baseurl>}}/rancher/v2.6/en/deploy-across-clusters/fleet) preinstalled in v2.5+. Rancher v2.6's new provisioning system leverages Fleet's bundle deployment capabilities in order to manage clusters at scale. Therefore, in Rancher v2.6, Fleet can no longer be disabled. If Fleet was disabled in Rancher v2.5.x, it will become enabled if Rancher is upgraded to v2.6.x.
- `continuous-delivery`: In Rancher v2.5.x, Fleet came with a GitOps feature that could not be disabled separately from Fleet. In Rancher v2.6, the `continuous-delivery` feature flag was introduced to allow the GitOps feature of Fleet to be disabled. For more information, see [this page.](./continuous-delivery)
- `istio-virtual-service-ui`: This feature enables a [UI to create, read, update, and delete Istio virtual services and destination rules]({{<baseurl>}}/rancher/v2.6/en/installation/options/feature-flags/istio-virtual-service-ui), which are traffic management features of Istio.
@@ -47,6 +48,7 @@ The below table shows the availability and default value for feature flags in Ra
| `fleet` | `true` | GA* | v2.5.0 | |
| `fleet` | `true` | Can no longer be disabled | v2.6.0 | N/A |
| `continuous-delivery` | `true` | GA* | v2.6.0 | |
| `token-hashing` | `false` | GA* | v2.6.0 | |
\* Generally Available. This feature is included in Rancher and it is not experimental.
content/rancher/v2.6/en/user-settings/api-keys/_index.md
+2
View File
@@ -19,6 +19,8 @@ API Keys are composed of four components:
- **Secret Key:** The token's password. For applications that prompt you for two different strings for API authentication, you usually enter the two keys together.
- **Bearer Token:** The token username and password concatenated together. Use this string for applications that prompt you for one authentication string.
>Note: Users may opt to enable [token hashing]({{<baseurl>}}/rancher/v2.6/en/api/api-tokens).
## Creating an API Key
1. Select **User Avatar** > **API & Keys** from the **User Settings** menu in the upper-right.