-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose session invalidation API. #92376
Changes from 10 commits
14b96cb
1f926b9
e793774
ac6499a
d0b9f5a
e200021
115a075
8987d23
26cf895
8f1caae
5941367
6e475cb
36248cc
62c446c
b6f714d
90f33c2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
[role="xpack"] | ||
[[session-management-api]] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will you be adding more APIs under the "Kibana user session management" section? If not, it would be better to make the "Invalidate user sessions API" a standalone page similar to "Shorten URL" in the TOC. Is Kibana needed? Or, can the title simply be "User session management APIs"? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
We don't have capacity yet, but I can see that we'll want to add user session enumeration APIs that will support session management UI and automation workflows for the admins in the future.
I'm not sure to be honest. User session is a Kibana-only thing and I basically used the same convention we used for Spaces that is also a Kibana-only thing ( There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think Kibana is not needed. |
||
== {kib} session management APIs | ||
|
||
Allows managing {kib} <<xpack-security-session-management, user sessions>>. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The sentence "Allows managing Kibana user sessions" isn't needed. It's covered in the title and in the sentence that follows it. |
||
|
||
The following {kib} session management APIs are available: | ||
|
||
* <<session-management-api-invalidate, Invalidate sessions API>> to invalidate {kib} user sessions | ||
|
||
include::session-management/invalidate.asciidoc[] |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,108 @@ | ||||||
[[session-management-api-invalidate]] | ||||||
=== Invalidate sessions API | ||||||
++++ | ||||||
<titleabbrev>Invalidate sessions</titleabbrev> | ||||||
++++ | ||||||
|
||||||
experimental[] Invalidates {kib} user sessions that match provided query. | ||||||
|
||||||
[[session-management-api-invalidate-prereqs]] | ||||||
==== Prerequisite | ||||||
|
||||||
To use the invalidate sessions API, you must be a `superuser`. | ||||||
|
||||||
[[session-management-api-invalidate-request]] | ||||||
==== Request | ||||||
|
||||||
`POST <kibana host>:<port>/api/security/session/_invalidate` | ||||||
|
||||||
[role="child_attributes"] | ||||||
[[session-management-api-invalidate-request-body]] | ||||||
==== Request body | ||||||
|
||||||
`match`:: | ||||||
(Required, string) Specifies how {kib} should determine which sessions should be invalidated. Can either be `all` to invalidate all existing sessions, or `query` to only invalidate sessions that match the query specified in the additional `query` parameter. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
`query`:: | ||||||
(Optional, object) Specifies the query that {kib} should use to match the sessions that should be invalidated when `match` parameter is set to `query`. This parameter is forbidden if `match` is set to `all`. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does the last sentence mean "You cannot use this parameter if There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
That's correct. Will use |
||||||
+ | ||||||
.Properties of `query` | ||||||
[%collapsible%open] | ||||||
===== | ||||||
`provider` ::: | ||||||
(Required, object) Contains required `type` and optional `name` string properties to match sessions that were created by the specific <<authentication-security-settings, authentication provider>>. | ||||||
|
||||||
`username` ::: | ||||||
(Optional, string) If specified, {kib} will only invalidate sessions that belong to a specific user. | ||||||
===== | ||||||
|
||||||
[[session-management-api-invalidate-response-body]] | ||||||
==== Response body | ||||||
|
||||||
`total`:: | ||||||
(number) The number of successfully invalidated sessions. | ||||||
|
||||||
[[session-management-api-invalidate-response-codes]] | ||||||
==== Response codes | ||||||
|
||||||
`200`:: | ||||||
Indicates a successful call. | ||||||
|
||||||
`403`:: | ||||||
Indicates that the user may not be authorized to invalidate sessions for other users, refer to <<session-management-api-invalidate-prereqs, Prerequisite section>>. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
==== Examples | ||||||
|
||||||
Invalidate all existing sessions: | ||||||
|
||||||
[source,sh] | ||||||
-------------------------------------------------- | ||||||
$ curl -X POST api/security/session/_invalidate | ||||||
{ | ||||||
"match" : "all" | ||||||
} | ||||||
-------------------------------------------------- | ||||||
// KIBANA | ||||||
|
||||||
Invalidate sessions that were created by any <<saml, SAML authentication providers>> only: | ||||||
|
||||||
[source,sh] | ||||||
-------------------------------------------------- | ||||||
$ curl -X POST api/security/session/_invalidate | ||||||
{ | ||||||
"match" : "query", | ||||||
"query": { | ||||||
"provider" : { "type": "saml" } | ||||||
} | ||||||
} | ||||||
-------------------------------------------------- | ||||||
// KIBANA | ||||||
|
||||||
Invalidate sessions that were created by the <<saml, SAML authentication provider>> with the name `saml1` only: | ||||||
|
||||||
[source,sh] | ||||||
-------------------------------------------------- | ||||||
$ curl -X POST api/security/session/_invalidate | ||||||
{ | ||||||
"match" : "query", | ||||||
"query": { | ||||||
"provider" : { "type": "saml", "name": "saml1" } | ||||||
} | ||||||
} | ||||||
-------------------------------------------------- | ||||||
// KIBANA | ||||||
|
||||||
Invalidate sessions that were created by any <<oidc, OpenID Connect authentication providers>> for the user with the name `[email protected]` only: | ||||||
|
||||||
[source,sh] | ||||||
-------------------------------------------------- | ||||||
$ curl -X POST api/security/session/_invalidate | ||||||
{ | ||||||
"match" : "query", | ||||||
"query": { | ||||||
"provider" : { "type": "oidc" }, | ||||||
"username": "[email protected]" | ||||||
} | ||||||
} | ||||||
-------------------------------------------------- | ||||||
// KIBANA |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -397,6 +397,14 @@ NOTE: *Public URL* is available only when anonymous access is configured and you | |||||
+ | ||||||
For more information, refer to <<embedding, Embed {kib} content in a web page>>. | ||||||
|
||||||
[float] | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. note: I initially planned to document invalidate API in the follow-up and combine it with the slightly related small (:crossed_fingers:) change we were talking about here, sooo that's my excuse for this change in this PR 🙂 |
||||||
[[anonymous-access-session]] | ||||||
===== Anonymous access session | ||||||
|
||||||
{kib} maintains a separate <<xpack-security-session-management, session>> for every anonymous user, as it does for any other authentication mechanism. This way {kib} can maintain a personalized experience even for the users who didn't provide any personal credentials. | ||||||
|
||||||
You can configure both <<session-idle-timeout, session idle timeout>> and <<session-lifespan, session lifespan>> for the anonymous sessions as you'd do for any other session with the only exception that idle timeout is explicitly disabled for the anonymous sessions by default. That means that the global <<security-session-and-cookie-settings, `xpack.security.session.idleTimeout`>> setting won't affect anonymous sessions. If you want to change the idle timeout for the anonymous sessions, you must configure the provider-level <<anonymous-authentication-provider-settings, `xpack.security.authc.providers.anonymous.<provider-name>.session.idleTimeout`>> setting instead. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
[[http-authentication]] | ||||||
==== HTTP authentication | ||||||
|
||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -6,6 +6,8 @@ When you log in, {kib} creates a session that is used to authenticate subsequent | |||||
|
||||||
When your session expires, or you log out, {kib} will invalidate your cookie and remove session information from the index. {kib} also periodically invalidates and removes any expired sessions that weren't explicitly invalidated. | ||||||
|
||||||
To manage user sessions programmatically, {kib} exposes a set of <<session-management-api, session management APIs>>. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
[[session-idle-timeout]] | ||||||
==== Session idle timeout | ||||||
|
||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: copy-pasting from the role-management APIs docs 🙈