-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit the number of concurrent user sessions #18162
Comments
General info: Restricting the number of concurrent sessions is a technical control mechanism to enforce that certain accounts/access cannot be shared between multiple or too many users. |
This appears to be blocked by #17870, Kibana will need to store session info to be able to limit concurrent sessions. |
Is this intended to limit concurrent sessions by role as in Elasticsearch security role (and not a user)? This doesn't map in my head about the stated objective to limit sharing "accounts" (elasticsearch users?). |
@jordansissel - maybe this is helpful? |
@gayleb Am I interpreting it correctly:
And three more questions:
|
+1 Interested in this feature. These control options are needed to implement DoD Application Server SRG V2R7 V-35070 Requirements. Excerpt: Check Text: Review the application server product documentation and configuration to determine if the number of concurrent sessions can be limited to the organization-defined number of sessions for all accounts and/or account types. If a feature to limit the number of concurrent sessions is not available, is not set, or is set to unlimited, this is a finding. |
kibanaへのアクセス制御ができるのか教えてください。 |
Hi @ES-Takashi ,
Do you mean 40 active sessions in total or 40 active session per user account? |
Hi@azasypkin
|
Sorry, not 100% sure which option of the two you meant, but I assume What if a single user creates 40 active sessions (in different browser windows or browsers)? Would it mean that no one else will be able to log in? That would be an easy DDoS like attack. Having said that, at the moment we're planning to support |
Hi @azasypkin, With the planned approach, will they be able to limit the number to concurrent sessions per user to zero? I.e. I believe they want to configure it so that a given user can only have a single session active at one time. |
Hi @JohnKnoepfle ,
Yes, this certainly will be possible with the proposal we have (at the RFC stage at the moment). Depending on the configuration, the 2nd session will either be forbidden or it will automatically displace the oldest one. The configuration might look something like this: xpack.security.session.сoncurrentSessions:
maxSessions: 1
exceedAction: displace # Or `forbid`
roles: [superuser] # Optional. If omitted, the limitation will apply to all users |
HI @azasypkin, Thank you for the quick reply! That sounds like exactly what they are looking for. They are asking for a status update so I will just let them know engineering is actively working on it and it is in the RFC stage. |
We're planning to start working on this functionality in the upcoming weeks. The initial implementation will include only the bare minimum described in the RFC, the rest of the functionality might be added at a later stage once we gather enough feedback for the initial implementation. Here's what we're aiming for in the initial implementation:
Essentially the configuration we're going to support initially would look like this: xpack.security.session.сoncurrentSessions:
maxSessions: 3 Issues to track: |
Closing the issue since the implementation has landed in #147442 and will be available starting from Kibana 8.7.0. The remaining tasks are tracked separately: |
Problem statement: Allow admins to define a maximum number of concurrent sessions per Kibana user. This builds on top of previous work, that introduced server side sessions .
Detailed approach: [This document|https://docs.google.com/document/d/1TpgCdz-S687s2XjTyTuJDx7Ig-rju_nnXfiefyt3dok/edit?usp=sharing], For [the MVP|https://docs.google.com/document/d/1TpgCdz-S687s2XjTyTuJDx7Ig-rju_nnXfiefyt3dok/edit#bookmark=id.ditlr5w78trc] see final section.
Justification: Example customer Enhancement Requests:
In addition NIST compliance ([800-53 AC-10|https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-10])
Release: The MVP is aimed for 8.7
The text was updated successfully, but these errors were encountered: