infra icon indicating copy to clipboard operation
infra copied to clipboard

Published 20 hours ago verified publisher icon infrahq

api: naming of session and access key expiration times

Open dnephin opened this issue 2 years ago • 3 comments

I had some incorrect assumptions about how access key expiration worked.

The outcome of this issue should be to define the following terms, probably in https://infrahq.com/docs/getting-started/key-concepts, and possibly also to rename the AccessKey.ExtensionDeadline.

Terms

  • AccessKey - is a string used to authenticate with the infra API
  • AccessKey.Expires - (referred to as --ttl in the CLI) the total time that the access key will be valid for, the "max lifetime"
  • AccessKey.ExtensionDeadline - A specified deadline that the access key must be used within to remain valid
  • Session - (not sure if we have a definition for this one)

The way our access keys work is that they have two expiry times:

  1. the maximum time the access key is valid for (Expiry)
  2. the time in which the key must be used in an API request to keep it active (ExtensionDeadline)

Some questions we should answer:

  • we refer to the access key expiry as TTL in the CLI and in CreateAccessKeyRequest. Should we rename TTL to Expiry to be more consistent?
  • should we define Session as the period of time the access key will remains active without being used?
  • if we define session that way, would it make sense to rename ExtensionDeadline to SessionExpires or SessionExpiry ?

If we don't take that approach for session, is there something else we could do to help clarify how extension deadline works?

dnephin avatar May 26 '22 20:05 dnephin

If we want to avoid having to define session, then maybe something like max-inactivity-time , or something along those lines would help clarify extension deadline.

dnephin avatar May 26 '22 20:05 dnephin

This issue has not seen any activity in a while. Add a comment if this issue is still relevant, otherwise it will be closed in 7 days.

github-actions[bot] avatar Jul 30 '22 02:07 github-actions[bot]

still relevant

dnephin avatar Aug 02 '22 14:08 dnephin

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Oct 30 '22 23:10 stale[bot]

This continues to be confusing to me, but I think I have an easier way to resolve the confusion.

Expires as the maximum lifetime of the key makes sense. Let's not change it.

ExtensionDeadline I think is misleading for a few reasons:

  1. What is being extended? It's not the expiry time (that never changes). It's the ExtensionDeadline value that is being extended. Which is really a UseBy time, or SessionExpiry, or ActivityTimeout.
  2. Deadline implies it's a fixed limit, but it's actually the value that gets changed each time
  3. Each login extends this value, but that's not explicit in any of the descriptions. Many readers will ask "how do I extend this thing".

I think we can addresses these problems by changing the name of ExtensionDeadline.

dnephin avatar Nov 18 '22 17:11 dnephin

This was fixed at some point, the new term is InactivlityTimeout.

dnephin avatar Jan 06 '23 23:01 dnephin