Account lockout¶
You can configure MKE so that a user account is temporarily blocked from logging in following a series of unsuccessful login attempts. The account lockout feature only prevents log in attempts that are made using basic authorization or LDAP. Log in attempts using either SAML or OIDC do not trigger the account lockout feature. Admin accounts are never locked.
Account lockouts expire after a set amount of time, after which the affected user can log in as normal. Subsequent log in attempts on a locked account do not extend the lockout period. Log in attempts against a locked account always cause a standard incorrect credentials error, providing no indication to the user that the account is locked. Only MKE admins can see account lockout status.
Configure account lockout functionality¶
Obtain the current MKE configuration file for your cluster.
Set the following parameters in the
auth.account_lock
section of the MKE configuration file:Set the value of
enabled
totrue
.Set the value of
failureTriggers
to the number of failed log in attempts that can be made before an account is locked.Set the value of
durationSeconds
to the desired lockout duration. A value of0
indicates that the account will remain locked until it is unlocked by an administrator.
Note
You can verify the lockout status of your organization accounts by issuing a
GET
request to the /accounts
endpoint.
Unlock an account¶
The account remains locked until the specified amount of time has elapsed. Otherwise, you must either have an administrator unlock the account or globally disable the account lockout feature.
To unlock a locked account:
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to Access Control > Users and select the user who is locked out of their account.
Click the gear icon in the upper right corner.
Navigate to the Security tab.
Note
An expired account lock only resets once a new log in attempt is made. Until such time, the account will present as locked to administrators.
Click the Unlock account button.
To globally disable the account lockout feature:
Obtain the current MKE configuration file for your cluster.
In the
auth.account_lock
section of the MKE configuration file, set the value ofenabled
tofalse
.