How does session management work in the Rancher v1.6 UI?

Follow
Table of Contents

Question

This article looks at how session management, and expiry, functions in the Rancher v1.6 UI.

Pre-requisites

  • This article is applicable to Rancher v1.6 instances

Answer

The Rancher user interface uses a token for session management. The token is originally obtained by the client by calling the /v2-beta/token API. This API is triggered by the end-user entering their username and password and clicking the "Log In" button. Below is an example request:

URL: https://rancher.example.com/v2-beta/token

Method: POST

Request body (formatted for readability):

{
  "code":"admin:<password here>",
  "authProvider":"localauthconfig"
}

Upon successful authentication, the server will generate a random 40 character token that is associated with the authenticated user. This token is provided back to the user interface in the jwt field in the JSON response. The token is valid for 16 hours from the time of creation. This expiration is enforced by the server. Below is a sample response (formatted for readability):

{
  "id":null,
  "type":"token",
  "links":{},
  "baseType":"token",
  "actionLinks":{},
  "accountId":"1a1",
  "authProvider":"localAuthConfig",
  "code":null,
  "enabled":true,
  "jwt":"V1dMyPArix5nN1jxiA6DdzsqdZitDJhZuBR3vZNr",
  "originalLogin":null,
  "redirectUrl":null,
  "security":true,
  "user":"admin",
  "userIdentity":
  {
    "externalId":"1a1",
    "profilePicture":null,
    "name":"admin",
    "externalIdType":"rancher_id",
    "profileUrl":null,
    "login":"admin",
    "role":null,
    "projectId":null,
    "user":false,
    "all":null,
    "id":"rancher_id:1a1"
  },
  "userType":"admin"
}

The user interface stores the token in a cookie called token and will send this cookie to all subsequent API requests to the server. In addition to a token, the server also sends a CSRF (Cross-Site Request Forgery) cookie which must be sent back on each request. This ensures the request came from the client and not a third party or malicious script. Below is a sequence diagram that demonstrates how a token is created and used.

Session Management Sequence Diagram

Upon session expiration, the user interface will redirect the user back to the login page.

Note, the session token expiration duration is not currently configurable. There is an enhancement request on GitHub to add this functionality, tracked in https://github.com/rancher/rancher/issues/16467

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.