Expose session invalidation API. #92376
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| [role="xpack"] | ||
| [[session-management-api]] | ||
|
There was a problem hiding this comment. Will you be adding more APIs under the "Kibana user session management" section? If not, it would be better to make the "Invalidate user sessions API" a standalone page similar to "Shorten URL" in the TOC. Is Kibana needed? Or, can the title simply be "User session management APIs"? There was a problem hiding this comment.
We don't have capacity yet, but I can see that we'll want to add user session enumeration APIs that will support session management UI and automation workflows for the admins in the future.
I'm not sure to be honest. User session is a Kibana-only thing and I basically used the same convention we used for Spaces that is also a Kibana-only thing ( There was a problem hiding this comment. I think Kibana is not needed. |
||
| == {kib} session management APIs | ||
|
|
||
| Allows managing {kib} <<xpack-security-session-management, user sessions>>. | ||
|
There was a problem hiding this comment. The sentence "Allows managing Kibana user sessions" isn't needed. It's covered in the title and in the sentence that follows it. |
||
|
|
||
| The following {kib} session management APIs are available: | ||
|
|
||
| * <<session-management-api-invalidate, Invalidate sessions API>> to invalidate {kib} user sessions | ||
|
|
||
| include::session-management/invalidate.asciidoc[] | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,108 @@ | ||||||
| [[session-management-api-invalidate]] | ||||||
| === Invalidate sessions API | ||||||
| ++++ | ||||||
| <titleabbrev>Invalidate sessions</titleabbrev> | ||||||
| ++++ | ||||||
|
|
||||||
| experimental[] Invalidates {kib} user sessions that match provided query. | ||||||
|
|
||||||
| [[session-management-api-invalidate-prereqs]] | ||||||
| ==== Prerequisite | ||||||
|
|
||||||
| To use the invalidate sessions API, you must be a `superuser`. | ||||||
|
|
||||||
| [[session-management-api-invalidate-request]] | ||||||
| ==== Request | ||||||
|
|
||||||
| `POST <kibana host>:<port>/api/security/session/_invalidate` | ||||||
|
|
||||||
| [role="child_attributes"] | ||||||
| [[session-management-api-invalidate-request-body]] | ||||||
| ==== Request body | ||||||
|
|
||||||
| `match`:: | ||||||
| (Required, string) Specifies how {kib} should determine which sessions should be invalidated. Can either be `all` to invalidate all existing sessions, or `query` to only invalidate sessions that match the query specified in the additional `query` parameter. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| `query`:: | ||||||
| (Optional, object) Specifies the query that {kib} should use to match the sessions that should be invalidated when `match` parameter is set to `query`. This parameter is forbidden if `match` is set to `all`. | ||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. Does the last sentence mean "You cannot use this parameter if There was a problem hiding this comment.
That's correct. Will use |
||||||
| + | ||||||
| .Properties of `query` | ||||||
| [%collapsible%open] | ||||||
| ===== | ||||||
| `provider` ::: | ||||||
| (Required, object) Contains required `type` and optional `name` string properties to match sessions that were created by the specific <<authentication-security-settings, authentication provider>>. | ||||||
|
|
||||||
| `username` ::: | ||||||
| (Optional, string) If specified, {kib} will only invalidate sessions that belong to a specific user. | ||||||
| ===== | ||||||
|
|
||||||
| [[session-management-api-invalidate-response-body]] | ||||||
| ==== Response body | ||||||
|
|
||||||
| `total`:: | ||||||
| (number) The number of successfully invalidated sessions. | ||||||
|
|
||||||
| [[session-management-api-invalidate-response-codes]] | ||||||
| ==== Response codes | ||||||
|
|
||||||
| `200`:: | ||||||
| Indicates a successful call. | ||||||
|
|
||||||
| `403`:: | ||||||
| Indicates that the user may not be authorized to invalidate sessions for other users, refer to <<session-management-api-invalidate-prereqs, Prerequisite section>>. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ==== Examples | ||||||
|
|
||||||
| Invalidate all existing sessions: | ||||||
|
|
||||||
| [source,sh] | ||||||
| -------------------------------------------------- | ||||||
| $ curl -X POST api/security/session/_invalidate | ||||||
| { | ||||||
| "match" : "all" | ||||||
| } | ||||||
| -------------------------------------------------- | ||||||
| // KIBANA | ||||||
|
|
||||||
| Invalidate sessions that were created by any <<saml, SAML authentication providers>> only: | ||||||
|
|
||||||
| [source,sh] | ||||||
| -------------------------------------------------- | ||||||
| $ curl -X POST api/security/session/_invalidate | ||||||
| { | ||||||
| "match" : "query", | ||||||
| "query": { | ||||||
| "provider" : { "type": "saml" } | ||||||
| } | ||||||
| } | ||||||
| -------------------------------------------------- | ||||||
| // KIBANA | ||||||
|
|
||||||
| Invalidate sessions that were created by the <<saml, SAML authentication provider>> with the name `saml1` only: | ||||||
|
|
||||||
| [source,sh] | ||||||
| -------------------------------------------------- | ||||||
| $ curl -X POST api/security/session/_invalidate | ||||||
| { | ||||||
| "match" : "query", | ||||||
| "query": { | ||||||
| "provider" : { "type": "saml", "name": "saml1" } | ||||||
| } | ||||||
| } | ||||||
| -------------------------------------------------- | ||||||
| // KIBANA | ||||||
|
|
||||||
| Invalidate sessions that were created by any <<oidc, OpenID Connect authentication providers>> for the user with the name `user@my-oidc-sso.com` only: | ||||||
|
|
||||||
| [source,sh] | ||||||
| -------------------------------------------------- | ||||||
| $ curl -X POST api/security/session/_invalidate | ||||||
| { | ||||||
| "match" : "query", | ||||||
| "query": { | ||||||
| "provider" : { "type": "oidc" }, | ||||||
| "username": "user@my-oidc-sso.com" | ||||||
| } | ||||||
| } | ||||||
| -------------------------------------------------- | ||||||
| // KIBANA | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -397,6 +397,14 @@ NOTE: *Public URL* is available only when anonymous access is configured and you | |||||
| + | ||||||
| For more information, refer to <<embedding, Embed {kib} content in a web page>>. | ||||||
|
|
||||||
| [float] | ||||||
|
There was a problem hiding this comment. note: I initially planned to document invalidate API in the follow-up and combine it with the slightly related small (:crossed_fingers:) change we were talking about here, sooo that's my excuse for this change in this PR 🙂 |
||||||
| [[anonymous-access-session]] | ||||||
| ===== Anonymous access session | ||||||
|
|
||||||
| {kib} maintains a separate <<xpack-security-session-management, session>> for every anonymous user, as it does for any other authentication mechanism. This way {kib} can maintain a personalized experience even for the users who didn't provide any personal credentials. | ||||||
|
|
||||||
| You can configure both <<session-idle-timeout, session idle timeout>> and <<session-lifespan, session lifespan>> for the anonymous sessions as you'd do for any other session with the only exception that idle timeout is explicitly disabled for the anonymous sessions by default. That means that the global <<security-session-and-cookie-settings, `xpack.security.session.idleTimeout`>> setting won't affect anonymous sessions. If you want to change the idle timeout for the anonymous sessions, you must configure the provider-level <<anonymous-authentication-provider-settings, `xpack.security.authc.providers.anonymous.<provider-name>.session.idleTimeout`>> setting instead. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| [[http-authentication]] | ||||||
| ==== HTTP authentication | ||||||
|
|
||||||
|
|
||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -585,8 +585,8 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); | ||
| }); | ||
|
|
||
| it('clears session if provider asked to do so in `succeeded` result.', async () => { | ||
|
|
@@ -605,8 +605,8 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); | ||
| }); | ||
|
|
||
| it('clears session if provider asked to do so in `redirected` result.', async () => { | ||
|
|
@@ -624,8 +624,8 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); | ||
| }); | ||
|
|
||
| describe('with Access Agreement', () => { | ||
|
|
@@ -1191,7 +1191,7 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('extends session for non-system API calls.', async () => { | ||
|
|
@@ -1213,7 +1213,7 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.extend).toHaveBeenCalledWith(request, mockSessVal); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('does not touch session for system API calls if authentication fails with non-401 reason.', async () => { | ||
|
|
@@ -1234,7 +1234,7 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('does not touch session for non-system API calls if authentication fails with non-401 reason.', async () => { | ||
|
|
@@ -1255,7 +1255,7 @@ describe('Authenticator', () => { | |
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('replaces existing session with the one returned by authentication provider for system API requests', async () => { | ||
|
|
@@ -1281,7 +1281,7 @@ describe('Authenticator', () => { | |
| }); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('replaces existing session with the one returned by authentication provider for non-system API requests', async () => { | ||
|
|
@@ -1307,7 +1307,7 @@ describe('Authenticator', () => { | |
| }); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('clears session if provider failed to authenticate system API request with 401 with active session.', async () => { | ||
|
|
@@ -1324,8 +1324,8 @@ describe('Authenticator', () => { | |
| AuthenticationResult.failed(Boom.unauthorized()) | ||
| ); | ||
|
|
||
| expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
|
|
@@ -1345,8 +1345,8 @@ describe('Authenticator', () => { | |
| AuthenticationResult.failed(Boom.unauthorized()) | ||
| ); | ||
|
|
||
| expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
|
|
@@ -1364,8 +1364,8 @@ describe('Authenticator', () => { | |
| AuthenticationResult.redirectTo('some-url', { state: null }) | ||
| ); | ||
|
|
||
| expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
|
|
@@ -1382,7 +1382,7 @@ describe('Authenticator', () => { | |
| AuthenticationResult.notHandled() | ||
| ); | ||
|
|
||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
|
|
@@ -1399,7 +1399,7 @@ describe('Authenticator', () => { | |
| AuthenticationResult.notHandled() | ||
| ); | ||
|
|
||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.create).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.update).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.extend).not.toHaveBeenCalled(); | ||
|
|
@@ -1789,7 +1789,7 @@ describe('Authenticator', () => { | |
| DeauthenticationResult.notHandled() | ||
| ); | ||
|
|
||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('clears session and returns whatever authentication provider returns.', async () => { | ||
|
|
@@ -1804,7 +1804,7 @@ describe('Authenticator', () => { | |
| ); | ||
|
|
||
| expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('if session does not exist but provider name is valid, returns whatever authentication provider returns.', async () => { | ||
|
|
@@ -1823,7 +1823,7 @@ describe('Authenticator', () => { | |
|
|
||
| expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); | ||
| expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledWith(request, null); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('if session does not exist and provider name is not available, returns whatever authentication provider returns.', async () => { | ||
|
|
@@ -1840,7 +1840,7 @@ describe('Authenticator', () => { | |
|
|
||
| expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); | ||
| expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledWith(request); | ||
| expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('returns `notHandled` if session does not exist and provider name is invalid', async () => { | ||
|
|
@@ -1852,7 +1852,7 @@ describe('Authenticator', () => { | |
| ); | ||
|
|
||
| expect(mockBasicAuthenticationProvider.logout).not.toHaveBeenCalled(); | ||
| expect(mockOptions.session.invalidate).toHaveBeenCalled(); | ||
| }); | ||
| }); | ||
|
|
||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: copy-pasting from the role-management APIs docs 🙈