RBAC service configuration

You can configure the RBAC service's settings to specify the duration before inactive user accounts expire, adjust the length of user sessions, the number of times a user can attempt to log in, and the length of time a password reset token is valid. You can also create a list of trusted, or allowed, certificates.

These configuration parameters are not required, but when present must be under the rbac section, as in the following example:

rbac: {
  # Duration in days before an inactive account expires
  account-expiry-days: 1
  # Duration in minutes that idle user accounts are checked
  account-expiry-check-minutes: 60
  # Duration in hours that a password reset token is viable
  password-reset-expiration: 24
  # Duration in minutes that a session is viable
  session-timeout: 60
  failed-attempts-lockout: 10


This parameter is a positive integer that specifies the duration, in days, before an inactive user account expires. The default value is undefined. To activate this feature, add a value of 1 or greater.

If a non-superuser hasn't logged into the console during this specified period, their user status updates to revoked. After creating an account, if a non-superuser hasn't logged in to the console during the specified period, their user status updates to revoked.

Important: If the account-expiry-days parameter is not specified, or has a value of less than 1, the account-expiry-check-minutes parameter is ignored.


This parameter is a positive integer that specifies how often, in minutes, the application checks for idle user accounts. The default value is 60 minutes.


When a user doesn't remember their current password, an administrator can generate a token for them to change their password. The duration, in hours, that this generated token is valid can be changed with the password-reset-expiration config parameter. The default value is 24.


This parameter is a positive integer that specifies how long a user's session should last, in minutes. This session is the same across node classifier, RBAC, and the console. The default value is 60.


This parameter is a positive integer that specifies how many failed login attempts are allowed on an account before that account is revoked. The default value is 10.

Note: If you change this value, create a new file or Puppet resets back to 10 when it next runs. Create the file in an RBAC section of /etc/puppetlabs/console-services/conf.d.


This parameter is a path for specifying the file that contains the names of hosts that are allowed to use RBAC APIs and other downstream component APIs, such as the Node Classifier and the Activity services. This configuration is for the users who want to script interaction with the RBAC service.

Users must connect to the RBAC service with a client certificate that has been specified in this certificate-allowlist file. A successful match of the client certificate and a certificate on this list allows access to the RBAC APIs as the api_user. By default, this user is an administrator and has all available permissions.

The certificate allowlist contains, at minimum, the certificate for the nodes PE is installed on.