Obtaining Access Tokens with a Kubernetes Secret

Describes how to obtain access tokens with a Kubernetes secret.

Each user that signs in to the HPE Ezmeral Unified Analytics Software UI is assigned a user-specific namespace. The user-specific namespace contains a Kubernetes secret with an access token, aptly named access-token. The access token is created specifically for the user in the value of AUTH_TOKEN. A token read from this resource (AUTH_TOKEN) has between 30 and 10 minutes to live.

NOTE

Keycloak settings do not affect the lifetime of this access token.

Obtaining an Access Token for a User

Any external client program with the appropriate Kubernetes API credentials can obtain a valid access token for a user.

Run the following kubectl command to obtain the access token for a specified user:

kubectl -n $USER_NAMESPACE get secret access-token -o jsonpath='{.data.AUTH_TOKEN}' | base64 -d

IMPORTANT

To run this command, kubectl must be set up with either admin access or a configuration that has credentials that allow access to a user's secret.

Storing Kubernetes Credentials Externally

Before you store any Kubernetes API credentials outside of the HPE Ezmeral Unified Analytics Software cluster, consider the security implications. As with any externally stored credentials, the external client is responsible for securing the credentials.

However, there may be cases where external storage is appropriate. For example, if a client already requires Kubernetes API credentials for other reasons, then the client can use this method to get valid user access tokens without having to use and secure refresh tokens.

Usage Notes

The following list describes scenarios where a user's access token becomes invalid or does not exist:

If a user exists in HPE Ezmeral Unified Analytics Software but has not signed in to the HPE Ezmeral Unified Analytics Software UI, the secret does not contain an access token for the user. The secret only contains an access token after the user signs in.
If the user is removed (offboarded) from the HPE Ezmeral Unified Analytics Software cluster, the user's namespace and secret are also removed and no longer exist.
An expired HPE Ezmeral Unified Analytics Software license disables the cluster. When a cluster is disabled, the token expires and becomes invalid until the cluster is enabled and the user successfully signs in to HPE Ezmeral Unified Analytics Software through the UI.
If a user is disabled in the AD/LDAP server, the token expires and becomes invalid until the user is enabled in the AD/LDAP server and signs in to HPE Ezmeral Unified Analytics Software through the UI.

HPE Ezmeral Unified Analytics Software 1.5 Documentation
Abstract	HPE Ezmeral Unified Analytics Software is a usage-based Software-as-a-Service (SaaS) model that operationalizes hybrid and multi-cloud modern analytical workloads through a simple user interface, easily installed and deployed in minutes. HPE Ezmeral Unified Analytics Software separates compute and storage for flexible, cost-efficient scalability to securely access data stored in multiple data platforms, enabling you to run traditional and advanced analytics workloads with open-source tools.
Published	November 2024
Edition	1.5.0