Table: openshift_oauth_access_token - Query OpenShift OAuth Access Tokens using SQL
OpenShift OAuth Access Tokens are part of OpenShift's OAuth server which is responsible for managing user login and token-based authentication. These tokens are used to authenticate users and clients in the OpenShift cluster and provide them with the necessary permissions to access resources. The tokens consist of unique identifiers, user names, client names, and expiration timestamps, which can be used to monitor and manage access control and potential security risks.
Table Usage Guide
The openshift_oauth_access_token
table provides insights into OAuth Access Tokens within OpenShift. As a system administrator, explore token-specific details through this table, including unique identifiers, user names, client names, and expiration timestamps. Utilize it to uncover information about tokens, such as those associated with specific users or clients, the tokens' expiration timestamps, and potential security risks associated with expired or misused tokens.
Examples
Basic info
Gain insights into the authorization patterns by analyzing the validity and usage of access tokens in your Openshift environment. This is particularly useful for assessing security measures and identifying potential vulnerabilities.
select uid, name, authorize_token, refresh_token, expires_in, user_name, user_uidfrom openshift_oauth_access_token;
select uid, name, authorize_token, refresh_token, expires_in, user_name, user_uidfrom openshift_oauth_access_token;
Get token scopes
Assess the elements within your system to understand which user tokens are nearing expiration. This is beneficial in maintaining security and ensuring uninterrupted user access.
select uid, name, expires_in, user_name, jsonb_pretty(scopes) as scopesfrom openshift_oauth_access_token;
select uid, name, expires_in, user_name, scopesfrom openshift_oauth_access_token;
List tokens with admin access
Explore which tokens have full administrative access. This is beneficial in analyzing your security configuration and identifying potential vulnerabilities.
select uid, name, authorize_token, refresh_token, expires_in, user_name, user_uidfrom openshift_oauth_access_token, jsonb_array_elements_text(scopes) as scopewhere scope like '%full%';
select uid, name, authorize_token, refresh_token, expires_in, user_name, user_uidfrom openshift_oauth_access_token, json_each(scopes) as scopewhere scope.value like '%full%';
List expired tokens
Discover the segments that have expired tokens in the OpenShift OAuth access to identify potential security risks or unauthorized access. This is particularly useful for maintaining system integrity and ensuring user account safety.
select uid, name, authorize_token, refresh_token, expires_in, user_name, user_uidfrom openshift_oauth_access_tokenwhere extract( epoch from age(current_timestamp, creation_timestamp) ) :: int > expires_in;
select uid, name, authorize_token, refresh_token, expires_in, user_name, user_uidfrom openshift_oauth_access_tokenwhere cast( (julianday('now') - julianday(creation_timestamp)) * 86400 as integer ) > expires_in;
Schema for openshift_oauth_access_token
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
annotations | jsonb | Annotations is an unstructured key-value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | |
authorize_token | text | AuthorizeToken contains the token that authorized this token. | |
client_name | text | ClientName references the client that created this token. | |
creation_timestamp | timestamp with time zone | CreationTimestamp is a timestamp representing the server time when this object was created. | |
deletion_grace_period_seconds | bigint | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. | |
deletion_timestamp | timestamp with time zone | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. | |
expires_in | bigint | ExpiresIn is the seconds from CreationTime before this token expires. | |
finalizers | jsonb | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. | |
generate_name | text | GenerateName is an optional prefix, used by the server, to generate a unique name only if the Name field has not been provided. | |
generation | bigint | A sequence number representing a specific generation of the desired state. | |
inactivity_timeout_seconds | bigint | InactivityTimeoutSeconds is the value in seconds, from the CreationTimestamp, after which this token can no longer be used. The value is automatically incremented when the token is used. | |
labels | jsonb | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. | |
name | text | = | Name of the object. Name must be unique within a namespace. |
namespace | text | Namespace defines the space within which each name must be unique. | |
owner_references | jsonb | List of objects depended by this object. If all objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | |
redirect_uri | text | RedirectURI is the redirection associated with the token. | |
refresh_token | text | RefreshToken is the value by which this token can be renewed. Can be blank. | |
resource_version | text | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. | |
scopes | jsonb | Scopes is an array of the requested scopes. | |
title | text | Title of the resource. | |
uid | text | UID is the unique in time and space value for this object. | |
user_name | text | The user name associated with this token. | |
user_uid | text | UserUID is the unique UID associated with this token. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- openshift
You can pass the configuration to the command with the --config
argument:
steampipe_export_openshift --config '<your_config>' openshift_oauth_access_token