Apache Knox
  1. Apache Knox
  2. KNOX-136

Knox should support configurable session timeout

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.3.0
    • Fix Version/s: 0.3.0
    • Component/s: Server
    • Labels:
      None

      Description

      There is no clue what is the session timeout in Knox.
      When a user authenticates to Knox, a session is created in Knox and a JSESSIONID cookie is returned to the client.
      But, there is no clue how long this session is valid.
      We should allow customers to set different session timeouts.

      At the minimum, we should add

      <session-config>
      <!-- web.xml expects the session timeout in minutes: -->
      <session-timeout>30</session-timeout>
      </session-config>

      in the web.xml created by deployment.

      1. KNOX-136.patch
        4 kB
        Dilli Arumugam

        Activity

        Hide
        Dilli Arumugam added a comment -

        Clarification the session timeout:

        It is really idle session timeout and not max session timeout.
        If you set the value as 3min, user can still use his one authentication with userid/password for much longer than 3mins, as long as he does not idle for 3 continuos minutes.

        Show
        Dilli Arumugam added a comment - Clarification the session timeout: It is really idle session timeout and not max session timeout. If you set the value as 3min, user can still use his one authentication with userid/password for much longer than 3mins, as long as he does not idle for 3 continuos minutes.
        Hide
        Dilli Arumugam added a comment - - edited

        Notes on the fix and testing:

        The fix adds a new config property, sessionTimeout, to topology file for ShiroProvider.
        The value of the property specified session timeout in minutes.
        It is really idle session timeout.
        The value defaults to 30mins, if the property value is not defined.
        Client authentication would expire after this time if the client idles continuosly for more than this value.

        Quoting from the sample sandbox.xml

        <provider>
        <role>authentication</role>
        <name>ShiroProvider</name>
        <enabled>true</enabled>
        <param>
        <!--
        session timeout in minutes,
        defaults to 30mins, if the property value is not defined,,
        client authentication would expire after this time
        -->
        <name>sessionTimeout</name>
        <value>30</value>
        </param>
        <param>
        <name>main.ldapRealm</name>
        <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
        </param>
        <param>
        <name>main.ldapRealm.userDnTemplate</name>
        <value>uid=

        {0}

        ,ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
        <name>main.ldapRealm.contextFactory.url</name>
        <value>ldap://localhost:33389</value>
        </param>
        <param>
        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
        <value>simple</value>
        </param>
        <param>
        <name>urls./**</name>
        <value>authcBasic</value>
        </param>
        </provider>

        Notes on testing:

        Deployed sandbox topology with sessionTimeout value set to 3 (minutes).

        curl -L -i -v -k -u guest:guest-password -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY'

        curl -i -k -u guest:guest-password -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY'
        HTTP/1.1 200 OK
        Set-Cookie: JSESSIONID=q12at9kmwgu5ccr5tctlgqfw;Path=/gateway/sandbox;Secure
        Expires: Thu, 01 Jan 1970 00:00:00 GMT
        Cache-Control: no-cache
        Expires: Thu, 01-Jan-1970 00:00:00 GMT
        Date: Tue, 24 Sep 2013 00:56:25 GMT
        Pragma: no-cache
        Date: Tue, 24 Sep 2013 00:56:25 GMT
        Pragma: no-cache
        Server: Jetty(6.1.26)
        Content-Type: application/json
        Content-Length: 22

        {"Path":"/user/guest"}

        date
        Mon Sep 23 17:57:08 PDT 2013

        curl -i -k -b "JSESSIONID=q12at9kmwgu5ccr5tctlgqfw" -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY'
        HTTP/1.1 200 OK
        Cache-Control: no-cache
        Expires: Thu, 01-Jan-1970 00:00:00 GMT
        Date: Tue, 24 Sep 2013 00:58:10 GMT
        Pragma: no-cache
        Date: Tue, 24 Sep 2013 00:58:10 GMT
        Pragma: no-cache
        Server: Jetty(6.1.26)
        Content-Type: application/json
        Content-Length: 22

        {"Path":"/user/guest"}

        Do not make any calls for 3 mins.
        Then,

        curl -i -k -b "JSESSIONID=q12at9kmwgu5ccr5tctlgqfw" -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY'
        HTTP/1.1 200 OK
        Cache-Control: no-cache
        Expires: Thu, 01-Jan-1970 00:00:00 GMT
        Date: Tue, 24 Sep 2013 01:01:38 GMT
        Pragma: no-cache
        Date: Tue, 24 Sep 2013 01:01:38 GMT
        Pragma: no-cache
        Server: Jetty(6.1.26)
        Content-Type: application/json
        Content-Length: 22

        {"Path":"/user/guest"}

        localhost:mac101 darumugam$ curl -i -k -b "JSESSIONID=q12at9kmwgu5ccr5tctlgqfw" -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY'
        HTTP/1.1 401 Unauthorized
        WWW-Authenticate: BASIC realm="application"
        Content-Length: 0
        Server: Jetty(8.1.12.v20130726)

        Show
        Dilli Arumugam added a comment - - edited Notes on the fix and testing: The fix adds a new config property, sessionTimeout, to topology file for ShiroProvider. The value of the property specified session timeout in minutes. It is really idle session timeout. The value defaults to 30mins, if the property value is not defined. Client authentication would expire after this time if the client idles continuosly for more than this value. Quoting from the sample sandbox.xml <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <!-- session timeout in minutes, defaults to 30mins, if the property value is not defined,, client authentication would expire after this time --> <name>sessionTimeout</name> <value>30</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value> </param> <param> <name>main.ldapRealm.userDnTemplate</name> <value>uid= {0} ,ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://localhost:33389</value> </param> <param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <param> <name>urls./**</name> <value>authcBasic</value> </param> </provider> Notes on testing: Deployed sandbox topology with sessionTimeout value set to 3 (minutes). curl -L -i -v -k -u guest:guest-password -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY' curl -i -k -u guest:guest-password -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY' HTTP/1.1 200 OK Set-Cookie: JSESSIONID=q12at9kmwgu5ccr5tctlgqfw;Path=/gateway/sandbox;Secure Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Expires: Thu, 01-Jan-1970 00:00:00 GMT Date: Tue, 24 Sep 2013 00:56:25 GMT Pragma: no-cache Date: Tue, 24 Sep 2013 00:56:25 GMT Pragma: no-cache Server: Jetty(6.1.26) Content-Type: application/json Content-Length: 22 {"Path":"/user/guest"} date Mon Sep 23 17:57:08 PDT 2013 curl -i -k -b "JSESSIONID=q12at9kmwgu5ccr5tctlgqfw" -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY' HTTP/1.1 200 OK Cache-Control: no-cache Expires: Thu, 01-Jan-1970 00:00:00 GMT Date: Tue, 24 Sep 2013 00:58:10 GMT Pragma: no-cache Date: Tue, 24 Sep 2013 00:58:10 GMT Pragma: no-cache Server: Jetty(6.1.26) Content-Type: application/json Content-Length: 22 {"Path":"/user/guest"} Do not make any calls for 3 mins. Then, curl -i -k -b "JSESSIONID=q12at9kmwgu5ccr5tctlgqfw" -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY' HTTP/1.1 200 OK Cache-Control: no-cache Expires: Thu, 01-Jan-1970 00:00:00 GMT Date: Tue, 24 Sep 2013 01:01:38 GMT Pragma: no-cache Date: Tue, 24 Sep 2013 01:01:38 GMT Pragma: no-cache Server: Jetty(6.1.26) Content-Type: application/json Content-Length: 22 {"Path":"/user/guest"} localhost:mac101 darumugam$ curl -i -k -b "JSESSIONID=q12at9kmwgu5ccr5tctlgqfw" -X GET 'https://localhost:8443/gateway/sandbox/namenode/api/v1?op=GETHOMEDIRECTORY' HTTP/1.1 401 Unauthorized WWW-Authenticate: BASIC realm="application" Content-Length: 0 Server: Jetty(8.1.12.v20130726)
        Hide
        Dilli Arumugam added a comment -

        Patch to fix the issue

        Show
        Dilli Arumugam added a comment - Patch to fix the issue
        Hide
        Dilli Arumugam added a comment -

        Amongst the providers that are currently in Knox, authentication provider is the best place.

        Show
        Dilli Arumugam added a comment - Amongst the providers that are currently in Knox, authentication provider is the best place.
        Hide
        Dilli Arumugam added a comment -

        I think this property belongs in authentication provider as the session is created by authentication provider.

        Show
        Dilli Arumugam added a comment - I think this property belongs in authentication provider as the session is created by authentication provider.
        Hide
        Kevin Minder added a comment - - edited

        Please provide an example of how this would be specified in the topology files and the resulting web.xml content. Also you will need to give some through as to what "provider" would be responsible for taking care of this processing.

        Show
        Kevin Minder added a comment - - edited Please provide an example of how this would be specified in the topology files and the resulting web.xml content. Also you will need to give some through as to what "provider" would be responsible for taking care of this processing.

          People

          • Assignee:
            Dilli Arumugam
            Reporter:
            Dilli Arumugam
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development