Concurrent session verification (Tech Preview)

This feature is a security measure that enables end-users limiting the number of concurrent UI sessions the users can have. To achieve this goal the users can be sorted out into three groups: non-privileged, privileged, unlimited.

The non-privileged and privileged groups each have a configurable limit, which the members of the group can not exceed. The members of the unlimited group are able to create an unlimited number of concurrent sessions.

All of the users, who are not configured in either the privileged or in the unlimited group, shall become the member of the non-privileged group by default.

Configuration

The following table shows the relevant gateway-level parameters that are essential for this feature to work:

Parameter Description Default
gateway.service.concurrentsessionverifier.impl To enable the session verification feature, end-users should set this parameter to org.apache.knox.gateway.session.control.InMemoryConcurrentSessionVerifier org.apache.knox.gateway.session.control.EmptyConcurrentSessionVerifier
gateway.session.verification.privileged.users Indicates a list of users that are qualified privileged. Empty list
gateway.session.verification.unlimited.users Indicates a list of (super) users that can have as many UI sessions as they want. Empty list
gateway.session.verification.privileged.user.limit The number of UI sessions a privileged user can have 3
gateway.session.verification.non.privileged.user.limit The number of UI sessions a non-privileged user can have 2

How this works

If the verifier is disabled it will not do anything even if the other parameters are configured.

When the verifier is enabled all of the users are considered as a non-privileged user by default and they will not be able to create more concurrent sessions than the non-privileged limit. The same is true after you added someone in the privileged user group: that user will not be able to create more UI sessions than the configured privileged user limit. Whereas the members of the unlimited users group are able to create an unlimited number of concurrent sessions even if they are configured in the privileged group as well.

In Cloudera Data Platform, currently, there are no first-class Cloudera Manager parameters for this feature, so all of those properties have to be set through Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml configuration in Cloudera Manager.