Securing sessions
When a Hue session expires, the screen blurs and the user is automatically logged out of the Hue Web UI. Logging back on returns the user to the same location in the application.
Session timeout
User sessions are controlled with the ttl
(time-to-live) property, which is
set in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini property as follows:
[desktop] [[session]] ttl=<number_of_seconds>
The default setting for ttl
is 1,209,600 seconds, which equals two weeks.
The ttl
property determines the length of time that the cookie with the
user's session ID lives before expiring. After the ttl
setting is reached,
the user's session expires whether it is active or not.
Idle session timeout
Idle sessions are controlled with the idle_session_timeout
property, which
is set in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini property as follows:
[desktop] [[auth]] idle_session_timeout=<number_of_seconds>
Sessions expire that are idle for the number of seconds set for this property. For example,
if you set idle_session_timeout=900
, sessions expire after being idle for 15
minutes. You can disable the property by setting it to a negative value, like
idle-session_timeout=-1
.
Secure session login
[desktop]
>
[[auth]]
in the Cloudera Manager Hue
Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini property as follows:
[desktop] [[auth]] <set_session_login_properties_here>
Use the following properties to configure session login behavior:
change_default_password |
Valid values: true | false If this property is set to true, users must change their passwords on first login attempt. Example:
[desktop] [[auth]] change_default_password=true To use this property, you must enable the
[desktop] [[auth]] backend=desktop.auth.backend.AllowFirstUserDjangoBackend |
expires_after |
Use this property to configure the number of seconds after logout that user accounts are
disabled. For example, user accounts are disabled 900 seconds or 15 minutes after
logout with the following configuration:
[desktop] [[auth]] expires_after=900 If you set this property to a negative value, user sessions never expire. For
example, |
expire_superusers |
Use to expire superuser accounts after the specified number of seconds after
logout. For example, expire_superusers=900
causes superuser accounts to expire 15 minutes after logging out. |
login_cooloff_time |
Sets the number of seconds after which failed logins are forgotten. For example,
if you set login_cooloff_time=900 , a failed login attempt is forgotten
after 15 minutes. |
login_failure_limit |
Sets the number of login attempts allowed before a failed login record is
created. For example, if you set login_failure_limit=3 , a failed
login record is created after 3 login attempts. |
login_lock_out_at_failure |
Valid values: true | false If set to true:
|
login_lock_out_by_combination_user_and_ip |
Valid values: true | false If set to true, both the IP address and the user are locked
out after exceeding the limit set for |
login_lock_out_use_user_agent |
Valid values: true | false If set to true, the agent application (such as a browser)
is locked out after exceeding the limit set for
|
Secure session cookies
[desktop]
>
[[session]]
in the Cloudera Manager Hue
Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini property as follows:
[desktop] [[session]] <set_session_cookie_properties_here>
Use the following properties to configure session cookie behavior:
secure |
Valid values: true | false If this property is set to true, the user session ID is secured. Example:
[desktop] [[session]] secure=true By default this property is set to false. |
http_only |
Valid values: true | false If this property is set to true, the cookie with the user session ID uses the HTTP only flag. Example:
[desktop] [[session]] http_only=true By default this property is set to true. |
expire_at_browser_close |
Valid values: true | false If this property is set to true, only session-length cookies are used. Users are automatically logged out when the browser window is closed. Example:
[desktop] [[session]] expire_at_browser_close=true By default this property is set to false. |