-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Server-Side sessions #68117
Merged
Merged
Changes from all commits
Commits
Show all changes
52 commits
Select commit
Hold shift + click to select a range
bfd42f0
Implement Server-Side sessions.
azasypkin fc0ab5d
Merge branch 'master' into issue-xxx-sss
azasypkin 194b06e
Added functional tests for the OIDC capture URL flow, Authenticator t…
azasypkin 176fe3b
Remove session that belongs to a not configured provider in all cases.
azasypkin 3f85d63
More tests, don't clean session on password change (temporarily).
azasypkin 50a09bb
Merge branch 'master' into issue-xxx-sss
azasypkin ada2b9f
Add capture-url tests, session cookie, and session management service…
azasypkin a30e49b
Merge branch 'master' into issue-xxx-sss
azasypkin f033f72
Merge branch 'master' into issue-xxx-sss
azasypkin 38f15bb
Merge branch 'master' into issue-xxx-sss
azasypkin 959a535
Merge branch 'master' into issue-xxx-sss
azasypkin 9d3273b
Review#1: handle review comments, add more tests.
azasypkin 7133991
Review#1: manually fix Jest snapshots as they are not updated by Jest…
azasypkin e915c3f
Merge branch 'master' into issue-xxx-sss
azasypkin 21bb805
Add basic docs and session integration tests.
azasypkin 11b3c4e
Fix outdated test file link.
azasypkin 8bd08e5
Fix more outdated test file links.
azasypkin 3fe0d46
Merge branch 'master' into issue-xxx-sss
azasypkin ccbcec1
More tweaks to the brand new session api integration tests.
azasypkin 04801a1
Wait for the `GREEN` status of session index before running tests.
azasypkin b6f3987
Merge branch 'master' into issue-xxx-sss
azasypkin 3f1fa9c
Merge branch 'master' into issue-xxx-sss
azasypkin b91f050
Review#2: handle review feedback.
azasypkin 09acb02
Merge branch 'master' into issue-xxx-sss
azasypkin 38f41cf
Merge branch 'master' into issue-xxx-sss
azasypkin e98dbd0
Review#2: properly update session index when user is active.
azasypkin a86884c
Remove duplicated test suite declaration.
azasypkin 6acf005
Review#2: use SID-scoped loggers inside of `Session`.
azasypkin d518e99
Merge branch 'master' into issue-xxx-sss
azasypkin a8d46f1
Review#3: generate index name inside of `SessionIndex` and get rid of…
azasypkin d3c8454
Merge branch 'master' into issue-xxx-sss
azasypkin bcbd9c2
Sync PR with the latest upstream ESLint rules.
azasypkin fb47b91
Merge branch 'master' into issue-xxx-sss
azasypkin b40adf6
Review#4: more comments and logs, use 32 bytes for SID and AAD instea…
azasypkin 9548184
Review#4: properly handle empty sessions in `SessionTimeout` service,…
azasypkin f03d978
Merge branch 'master' into issue-xxx-sss
azasypkin 2d3ea32
Review#5: allow smaller cleanup timeouts in dev mode (for tests).
azasypkin 8ee6b90
Merge branch 'master' into issue-xxx-sss
azasypkin 21d24ed
Review#5: decrease minimum value for cleanup interval to 10s to make …
azasypkin efdbef2
Update docs.
azasypkin 92437c0
Merge branch 'master' into issue-xxx-sss
azasypkin d69116a
Merge branch 'master' into issue-xxx-sss
elasticmachine ed6944d
Merge branch 'master' into issue-xxx-sss
elasticmachine ca64e87
Merge branch 'master' into issue-xxx-sss
elasticmachine 4d0ee0d
Merge branch 'master' into issue-xxx-sss
azasypkin 378c239
Review#6: incorporate docs review suggestions.
azasypkin a4cdb60
tests: make sure we always wait for the green status before trying to…
azasypkin b178201
Merge branch 'master' into issue-xxx-sss
azasypkin 3ded572
Review#7: handle more docs comments.
azasypkin 5bc9502
Review#8: more doc improvements.
azasypkin 1d27f02
Merge branch 'master' into issue-xxx-sss
azasypkin 8ea6939
Review#8: more docs comments.
azasypkin File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
[role="xpack"] | ||
[[xpack-security-session-management]] | ||
=== Session management | ||
|
||
When you log in, {kib} creates a session that is used to authenticate subsequent requests to {kib}. A session consists of two components: an encrypted cookie that is stored in your browser, and an encrypted document in a dedicated {es} hidden index. By default, the name of that index is `.kibana_security_session_1`, where the prefix is derived from the primary `.kibana` index. If either of these components are missing, the session is no longer valid. | ||
|
||
When your session expires, or you log out, {kib} will invalidate your cookie and remove session information from the index. {kib} also periodically invalidates and removes any expired sessions that weren't explicitly invalidated. | ||
|
||
[[session-idle-timeout]] | ||
==== Session idle timeout | ||
|
||
You can use `xpack.security.session.idleTimeout` to expire sessions after a period of inactivity. This and `xpack.security.session.lifespan` are both highly recommended. | ||
By default, sessions don't expire because of inactivity. To define a sliding session expiration, set the property in the `kibana.yml` configuration file. The idle timeout is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. '20m', '24h', '7d', '1w'). For example, set the idle timeout to expire sessions after 1 hour of inactivity: | ||
|
||
-- | ||
[source,yaml] | ||
-------------------------------------------------------------------------------- | ||
xpack.security.session.idleTimeout: "1h" | ||
-------------------------------------------------------------------------------- | ||
-- | ||
|
||
[[session-lifespan]] | ||
==== Session lifespan | ||
|
||
You can use `xpack.security.session.lifespan` to configure the maximum session duration or "lifespan" -- also known as the "absolute timeout". This and `xpack.security.session.idleTimeout` are both highly recommended. By default, sessions don't have a fixed lifespan, and if an idle timeout is defined, a session can still be extended indefinitely. To define a maximum session lifespan, set the property in the `kibana.yml` configuration file. The lifespan is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. '20m', '24h', '7d', '1w'). For example, set the lifespan to expire sessions after 30 days: | ||
|
||
-- | ||
[source,yaml] | ||
-------------------------------------------------------------------------------- | ||
xpack.security.session.lifespan: "30d" | ||
-------------------------------------------------------------------------------- | ||
-- | ||
|
||
[[session-cleanup-interval]] | ||
==== Session cleanup interval | ||
|
||
[IMPORTANT] | ||
============================================================================ | ||
If you specify neither session idle timeout nor lifespan, then {kib} will not automatically remove session information from the index unless you explicitly log out. This might lead to an infinitely growing session index. Configure the idle timeout and lifespan settings for the {kib} sessions so that they can be cleaned up even if you don't explicitly log out. | ||
============================================================================ | ||
|
||
You can configure the interval at which {kib} tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour and cannot be less than 10 seconds. To define another interval, set the `xpack.security.session.cleanupInterval` property in the `kibana.yml` configuration file. The interval is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. '20m', '24h', '7d', '1w'). For example, schedule the session index cleanup to perform once a day: | ||
|
||
-- | ||
[source,yaml] | ||
-------------------------------------------------------------------------------- | ||
xpack.security.session.cleanupInterval: "1d" | ||
-------------------------------------------------------------------------------- | ||
-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: removed this cookie-related sections, I think they don't make any sense now - it's should be assumed by default that if user logs out session cannot be reused.