Account lockout

Available since MKE 3.5.3

You can configure MKE so that a user account is temporarily blocked from logging in following a series of unsuccessful login attempts. The account lockout feature only prevents log in attempts that are made using basic authorization or LDAP. Log in attempts using either SAML or OIDC do not trigger the account lockout feature. Admin accounts are never locked.

Account lockouts expire after a set amount of time, after which the affected user can log in as normal. Subsequent log in attempts on a locked account do not extend the lockout period. Log in attempts against a locked account always cause a standard incorrect credentials error, providing no indication to the user that the account is locked. Only MKE admins can see account lockout status.

Configure account lockout functionality

  1. Obtain the current MKE configuration file for your cluster.

  2. Set the following parameters in the auth.account_lock section of the MKE configuration file:

    • Set the value of enabled to true.

    • Set the value of failureTriggers to the number of failed log in attempts that can be made before an account is locked.

    • Set the value of durationSeconds to the desired lockout duration. A value of 0 indicates that the account will remain locked until it is unlocked by an administrator.

  3. Upload the new MKE configuration file <modify-an-existing-mke-configuration.

Note

You can verify the lockout status of your organization accounts by issuing a GET request to the /accounts endpoint.

Unlock an account

The account remains locked until the specified amount of time has elapsed. Otherwise, you must either have an administrator unlock the account or globally disable the account lockout feature.


To unlock a locked account:

  1. Log in to the MKE web UI as an administrator.

  2. In the left-side navigation panel, navigate to Access Control > Users and select the user who is locked out of their account.

  3. Click the gear icon in the upper right corner.

  4. Navigate to the Security tab.

    Note

    An expired account lock only resets once a new log in attempt is made. Until such time, the account will present as locked to administrators.

  5. Click the Unlock account button.


To globally disable the account lockout feature:

  1. Obtain the current MKE configuration file for your cluster.

  2. In the auth.account_lock section of the MKE configuration file, set the value of enabled to false.

  3. Upload the new MKE configuration file.