add last login time for user (#2679)

Signed-off-by: Jeff <zw0948@gmail.com>

pkg/apiserver/authentication/options/authenticate_options.go

@@ -25,20 +25,26 @@ import (
 )
 
 type AuthenticationOptions struct {
-	// authenticate rate limit
+	// AuthenticateRateLimiter defines under which circumstances we will block user.
+	// A user will be blocked if his/her failed login attempt reaches AuthenticateRateLimiterMaxTries in
+	// AuthenticateRateLimiterDuration for about AuthenticateRateLimiterDuration. For example,
+	//   AuthenticateRateLimiterMaxTries: 5
+	//   AuthenticateRateLimiterDuration: 10m
+	// A user will be blocked for 10m if he/she logins with incorrect credentials for at least 5 times in 10m.
 	AuthenticateRateLimiterMaxTries int           `json:"authenticateRateLimiterMaxTries" yaml:"authenticateRateLimiterMaxTries"`
 	AuthenticateRateLimiterDuration time.Duration `json:"authenticateRateLimiterDuration" yaml:"authenticateRateLimiterDuration"`
 	// Token verification maximum time difference
 	MaximumClockSkew time.Duration `json:"maximumClockSkew" yaml:"maximumClockSkew"`
-	// retention login records
-	RecordRetentionPeriod time.Duration `json:"recordRetentionPeriod" yaml:"recordRetentionPeriod"`
-	// allow multiple users login at the same time
+	// retention login history, records beyond this amount will be deleted
+	LoginHistoryRetentionPeriod time.Duration `json:"loginHistoryRetentionPeriod" yaml:"loginHistoryRetentionPeriod"`
+	// allow multiple users login from different location at the same time
 	MultipleLogin bool `json:"multipleLogin" yaml:"multipleLogin"`
-	// secret to signed jwt token
+	// secret to sign jwt token
 	JwtSecret string `json:"-" yaml:"jwtSecret"`
-	// oauth options
+	// OAuthOptions defines options needed for integrated oauth plugins
 	OAuthOptions *oauth.Options `json:"oauthOptions" yaml:"oauthOptions"`
-	KubectlImage string         `json:"kubectlImage" yaml:"kubectlImage"`
+	// KubectlImage is the image address we use to create kubectl pod for users who have admin access to the cluster.
+	KubectlImage string `json:"kubectlImage" yaml:"kubectlImage"`
 }
 
 func NewAuthenticateOptions() *AuthenticationOptions {
@@ -46,7 +52,7 @@ func NewAuthenticateOptions() *AuthenticationOptions {
 		AuthenticateRateLimiterMaxTries: 5,
 		AuthenticateRateLimiterDuration: time.Minute * 30,
 		MaximumClockSkew:                10 * time.Second,
-		RecordRetentionPeriod:           time.Hour * 24 * 7,
+		LoginHistoryRetentionPeriod:     time.Hour * 24 * 7,
 		OAuthOptions:                    oauth.NewOptions(),
 		MultipleLogin:                   false,
 		JwtSecret:                       "",
@@ -68,7 +74,8 @@ func (options *AuthenticationOptions) AddFlags(fs *pflag.FlagSet, s *Authenticat
 	fs.DurationVar(&options.AuthenticateRateLimiterDuration, "authenticate-rate-limiter-duration", s.AuthenticateRateLimiterDuration, "")
 	fs.BoolVar(&options.MultipleLogin, "multiple-login", s.MultipleLogin, "Allow multiple login with the same account, disable means only one user can login at the same time.")
 	fs.StringVar(&options.JwtSecret, "jwt-secret", s.JwtSecret, "Secret to sign jwt token, must not be empty.")
-	fs.DurationVar(&options.OAuthOptions.AccessTokenMaxAge, "access-token-max-age", s.OAuthOptions.AccessTokenMaxAge, "AccessTokenMaxAgeSeconds  control the lifetime of access tokens, 0 means no expiration.")
+	fs.DurationVar(&options.LoginHistoryRetentionPeriod, "login-history-retention-period", s.LoginHistoryRetentionPeriod, "login-history-retention-period defines how long login history should be kept.")
+	fs.DurationVar(&options.OAuthOptions.AccessTokenMaxAge, "access-token-max-age", s.OAuthOptions.AccessTokenMaxAge, "access-token-max-age control the lifetime of access tokens, 0 means no expiration.")
 	fs.StringVar(&s.KubectlImage, "kubectl-image", s.KubectlImage, "Setup the image used by kubectl terminal pod")
 	fs.DurationVar(&options.MaximumClockSkew, "maximum-clock-skew", s.MaximumClockSkew, "The maximum time difference between the system clocks of the ks-apiserver that issued a JWT and the ks-apiserver that verified the JWT.")
 }