Bug 1397583

Summary: Limit simultaneous sessions
Product: OpenShift Container Platform Reporter: Michael Epley <mepley>
Component: RFEAssignee: Michal Fojtik <mfojtik>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, jokerman, mepley, mmccomas, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:59:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Epley 2016-11-22 21:12:23 UTC 
Description of problem:

Openshift allows a user to log into the system an unlimited numbfer of times. Openshift should limit the number of logins that are allowed for a given user, both within the CLI and the web interface. Ideally Openshift should limit the number of OAuth tokens that can be simultaneously issued to a given identity as well as the number of web sessions allowed from a given identity. It should allow the number of simultaneous tokens/web sessions to be limited by the user group (ideally a max of 3 for non-adminstrator users and 2 for administrative user) or identity. This is a requirement of NIST 800-53 AC-10.


Version-Release number of selected component (if applicable):

OCP 3.3

How reproducible:

Perfectly. 

Steps to Reproduce:
1.  Access the web interface of an OCP cluster configured via default settings, using multiple browsers/tabs.
2.  Access is allowed in all sessions.

Actual results:
Access is allowed in all sessions.

Expected results:
The user should be denied access (perhaps redirected to an error page) if too many token/sessions are currently active; or access may be allowed and the oldest token/session should expire.

Additional info:
Comment 1 Simo Sorce 2017-10-26 14:58:58 UTC 
This is something we may not be able to do, unless it is limited to just the web console, is that the case.
Comment 5 Kirsten Newcomer 2019-06-12 11:59:13 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.