turbot/openshift
steampipe plugin install openshift

Table: openshift_oauth_access_token - Query OpenShift OAuth Access Tokens using SQL

OpenShift OAuth Access Tokens are part of OpenShift's OAuth server which is responsible for managing user login and token-based authentication. These tokens are used to authenticate users and clients in the OpenShift cluster and provide them with the necessary permissions to access resources. The tokens consist of unique identifiers, user names, client names, and expiration timestamps, which can be used to monitor and manage access control and potential security risks.

Table Usage Guide

The openshift_oauth_access_token table provides insights into OAuth Access Tokens within OpenShift. As a system administrator, explore token-specific details through this table, including unique identifiers, user names, client names, and expiration timestamps. Utilize it to uncover information about tokens, such as those associated with specific users or clients, the tokens' expiration timestamps, and potential security risks associated with expired or misused tokens.

Examples

Basic info

Gain insights into the authorization patterns by analyzing the validity and usage of access tokens in your Openshift environment. This is particularly useful for assessing security measures and identifying potential vulnerabilities.

select
uid,
name,
authorize_token,
refresh_token,
expires_in,
user_name,
user_uid
from
openshift_oauth_access_token;
select
uid,
name,
authorize_token,
refresh_token,
expires_in,
user_name,
user_uid
from
openshift_oauth_access_token;

Get token scopes

Assess the elements within your system to understand which user tokens are nearing expiration. This is beneficial in maintaining security and ensuring uninterrupted user access.

select
uid,
name,
expires_in,
user_name,
jsonb_pretty(scopes) as scopes
from
openshift_oauth_access_token;
select
uid,
name,
expires_in,
user_name,
scopes
from
openshift_oauth_access_token;

List tokens with admin access

Explore which tokens have full administrative access. This is beneficial in analyzing your security configuration and identifying potential vulnerabilities.

select
uid,
name,
authorize_token,
refresh_token,
expires_in,
user_name,
user_uid
from
openshift_oauth_access_token,
jsonb_array_elements_text(scopes) as scope
where
scope like '%full%';
select
uid,
name,
authorize_token,
refresh_token,
expires_in,
user_name,
user_uid
from
openshift_oauth_access_token,
json_each(scopes) as scope
where
scope.value like '%full%';

List expired tokens

Discover the segments that have expired tokens in the OpenShift OAuth access to identify potential security risks or unauthorized access. This is particularly useful for maintaining system integrity and ensuring user account safety.

select
uid,
name,
authorize_token,
refresh_token,
expires_in,
user_name,
user_uid
from
openshift_oauth_access_token
where
extract(
epoch
from
age(current_timestamp, creation_timestamp)
) :: int > expires_in;
select
uid,
name,
authorize_token,
refresh_token,
expires_in,
user_name,
user_uid
from
openshift_oauth_access_token
where
cast(
(julianday('now') - julianday(creation_timestamp)) * 86400 as integer
) > expires_in;

Schema for openshift_oauth_access_token

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
annotationsjsonbAnnotations is an unstructured key-value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
authorize_tokentextAuthorizeToken contains the token that authorized this token.
client_nametextClientName references the client that created this token.
creation_timestamptimestamp with time zoneCreationTimestamp is a timestamp representing the server time when this object was created.
deletion_grace_period_secondsbigintNumber of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set.
deletion_timestamptimestamp with time zoneDeletionTimestamp is RFC 3339 date and time at which this resource will be deleted.
expires_inbigintExpiresIn is the seconds from CreationTime before this token expires.
finalizersjsonbMust be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
generate_nametextGenerateName is an optional prefix, used by the server, to generate a unique name only if the Name field has not been provided.
generationbigintA sequence number representing a specific generation of the desired state.
inactivity_timeout_secondsbigintInactivityTimeoutSeconds is the value in seconds, from the CreationTimestamp, after which this token can no longer be used. The value is automatically incremented when the token is used.
labelsjsonbMap of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
nametext=Name of the object. Name must be unique within a namespace.
namespacetextNamespace defines the space within which each name must be unique.
owner_referencesjsonbList of objects depended by this object. If all objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
redirect_uritextRedirectURI is the redirection associated with the token.
refresh_tokentextRefreshToken is the value by which this token can be renewed. Can be blank.
resource_versiontextAn opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed.
scopesjsonbScopes is an array of the requested scopes.
titletextTitle of the resource.
uidtextUID is the unique in time and space value for this object.
user_nametextThe user name associated with this token.
user_uidtextUserUID is the unique UID associated with this token.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- openshift

You can pass the configuration to the command with the --config argument:

steampipe_export_openshift --config '<your_config>' openshift_oauth_access_token