new token generated on each node restart
General
Escalation
General
Escalation
Description
How to test
Setup PMM Server FB from https://jira.percona.com/browse/PMM-11714
Create API key
Use that API key to register pmm-agent
No new API keys are created automatically
How to document
None
Attachments
1
relates to
Activity
Show:
Nailya Kutlubaeva November 21, 2023 at 11:16 AM
No automation is needed
Tomislav Plavcic August 21, 2023 at 1:10 PM
Nurlan Moldomurov August 21, 2023 at 12:00 PM
Could you provide all env variables passed to PMM Client?
Done
Details
Details
Assignee
Nurlan MoldomurovReporter
Tomislav PlavcicPriority
HighLabels
Needs QA
Yes
Needs Doc
No
Planned Version/s
Fix versions
Story Points
1
Affects versions
Smart Checklist
Open Smart Checklist
Smart Checklist
Open Smart Checklist
Created August 21, 2023 at 10:53 AM
Updated March 5, 2024 at 10:12 PM
Resolved November 28, 2023 at 8:47 AM
I have a PMM server 2.39 and clients running 2.38, running PS operator and mysql cluster on Kubernetes.
It seems that new tokens (not service accounts) are created for each monitored node of the cluster even if I just created and specified a token to be used for communication and they don't have expiry dates.
The bigger problem is that these tokens are generated on each node restart, so in unstable environment like Kubernetes you can have hundreds of these tokens without expiry date.
To me this looks very insecure.
Screenshot:
As you can see from the list I have restarted node cluster1-mysql-2 7 times and I have 7 tokens.
pmm admin is run inside sidecar container using following script: