feat: add master configurations for access token max and default lifespans [DET-10464]

[corban-beaird]

Ticket

DET-10464

Description

Adds default & max lifespan master configurations for access tokens to set global defaults & limits on how long access tokens can be valid for.

You would need to define in master configuration as below:

  -  master:
       config_file:
        security:
          token:
            max_lifespan_days: -1
            default_lifespan_days: 30

Constants that are defined:

// InfiniteTokenLifespan is the value to set the token lifespan to infinite.
InfiniteTokenLifespan = -1

// InfiniteTokenLifespanString is the string representation of InfiniteTokenLifespan.
InfiniteTokenLifespanString = "-1"

// DefaultTokenLifespan is the default token lifespan in days.
DefaultTokenLifespan = 30

// DefaultTokenMaxLifespanDays is the default max lifespan for tokens.
// This is the maximum number of days a go duration can represent.
MaxAllowedTokenLifespanDays = 106751

API endpoint:

POST /api/v1/tokens

Accepted Body:
{
  "userId": 1,
  "lifespan": "30h"
}

OR

{
  "userId": 1,
  "lifespan": "-1"
}

No changes in GET and PATCH APIs

CLI changes:

Creating token with indefinite expiration days

% det token create -e -1

TokenID: 469
Access-Token: v2.public.eyJpZCI6NDY5LCJ1c2VyX2lkIjoxLCJleHBpcnkiOm51bGwsImNyZWF0ZWRfYXQiOiIyMDI0LTEwLTI0VDE3OjI0OjM1LjgzMzc2WiIsInRva2VuX3R5cGUiOiJBQ0NFU1NfVE9LRU4iLCJyZXZva2VkX2F0IjpudWxsLCJkZXNjcmlwdGlvbiI6bnVsbCwiSW5oZXJpdGVkQ2xhaW1zIjpudWxsfTfft_Jfo46Rlh8M1ZcMtGmUxWTaaiS8zg3J0sr5HecKcF49-Vy4iiEfGi9PCpw50RJX053z9ARTPPoHxETsXQs.bnVsbA

Creating token with 30 expiration days

% det token create -e 30 
TokenID: 468
Access-Token: v2.public.eyJpZCI6NDY4LCJ1c2VyX2lkIjoxLCJleHBpcnkiOiIyMDI0LTExLTIzVDE3OjIzOjMyLjgwNTc3M1oiLCJjcmVhdGVkX2F0IjoiMjAyNC0xMC0yNFQxNzoyMzozMi44MDU3NzNaIiwidG9rZW5fdHlwZSI6IkFDQ0VTU19UT0tFTiIsInJldm9rZWRfYXQiOm51bGwsImRlc2NyaXB0aW9uIjpudWxsLCJJbmhlcml0ZWRDbGFpbXMiOm51bGx9loBjs57wAHnXh30Izs0v8ZEMEhvE9S0cvzc0Rddlg953bzAdUHcHRo0Upa24vwNRDxXByac8ebmgwjHcfmORCg.bnVsbA

Test Plan

• CI Passes
  Try below CLI commands
• % det token create -e -1
• % det token create -e 30

Checklist

• Changes have been manually QA'd
• New features have been approved by the corresponding PM
• User-facing API changes have the "User-facing API Change" label
• Release notes have been added as a separate file under docs/release-notes/
  See Release Note for details.
• Licenses have been included for new code which was copied and/or modified from any external code

[codecov]

Codecov Report

Attention: Patch coverage is 47.16981% with 28 lines in your changes missing coverage. Please review.

Project coverage is 54.72%. Comparing base (782f7a0) to head (0076fca).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
master/internal/config/config.go	41.93%	18 Missing ⚠️
master/internal/api_token.go	57.89%	8 Missing ⚠️
harness/determined/cli/token.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10101      +/-   ##
==========================================
+ Coverage   54.71%   54.72%   +0.01%     
==========================================
  Files        1266     1266              
  Lines      159970   160013      +43     
  Branches     3662     3662              
==========================================
+ Hits        87525    87568      +43     
  Misses      72312    72312              
  Partials      133      133              

Flag	Coverage Δ
backend	46.05% <49.01%> (+0.04%)	⬆️
harness	72.56% <0.00%> (ø)
web	54.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
master/internal/token/postgres_token.go	75.71% <100.00%> (ø)
harness/determined/cli/token.py	16.00% <0.00%> (ø)
master/internal/api_token.go	76.42% <57.89%> (-2.86%)	⬇️
master/internal/config/config.go	56.59% <41.93%> (-1.47%)	⬇️

... and 5 files with indirect coverage changes

[netlify]

✅ Deploy Preview for determined-ui canceled.

Name	Link
🔨 Latest commit	0076fca
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/671c1e4f1c95150008828d03

[tara-hpe]

suggested edits

[azhou-determined]

might be worth just making sure that args.expiration_days is an int here, if it's a float not sure what would happen

[ShreyaLnuHpe]

With the current code, any float input would return an error invalid int value: '5.0'. I think we should keep it as is.

Another option is to explicitly cast the input to an integer. However, the potential issue with this approach is that it could mislead users into thinking that floating-point values are valid, which might give the impression that fractional days are allowed.

expiration_in_hours = None
if args.expiration_days is not None:
    expiration_days = int(args.expiration_days)  # Ensure it's an integer
    expiration_in_hours = "-1" if expiration_days == -1 else f"{24 * expiration_days}h"

[azhou-determined]

what's the reason for adding both these configs to the master config? i get why a cluster admin would want to set max_expiration, but is default necessary? it's not a big deal, but if it's unlikely to be used it's just a bit more bloat in the master config.

[azhou-determined]

only reviewed python side, deferring to @stoksc for master stuff

[stoksc]

I don't think our default should be infinite. Let's make it 30 days and let folks opt-in to these wild infinite lifespan tokens.

[stoksc]

leaving this partial review but we're chatting more online

[tara-hpe]

LGTM

[stoksc]

reading this it is not clear to me the difference between an "access token" and a regular token, and i'm not sure how a user would know there is a difference, but I dont have an immediate idea of how to fix it.