ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <>
Subject [jira] [Commented] (AMBARI-21680) Prevent users from authenticating if they exceed a configured number of login failures
Date Thu, 18 Jan 2018 18:26:01 GMT


Hudson commented on AMBARI-21680:

FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #8613 (See [])
AMBARI-21680. Prevent users from authenticating if they exceed a (amagyar: [])
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/
* (edit) ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/
* (edit) ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
* (edit) ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersShowCtrl.js
* (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/
* (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/
* (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/
* (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/
* (edit) ambari-admin/src/main/resources/ui/admin-web/app/views/users/show.html
* (edit) ambari-server/docs/configuration/
* (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/

> Prevent users from authenticating if they exceed a configured number of login failures
> --------------------------------------------------------------------------------------
>                 Key: AMBARI-21680
>                 URL:
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 3.0.0
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>            Priority: Major
>             Fix For: 3.0.0
>         Attachments: AMBARI-21680.patch
> Prevent users from authenticating if they exceed a configured number of login failures,
which is set as a configuration in the file - authentication.max.failures.
> After a users successfully authenticates, check the value of org.apache.ambari.server.orm.entities.UserEntity#getConsecutiveFailures.

> If it exceeds the value set in authentication.max.failures, then fail authentication.
Else allow authentication to proceed.
> If failing authentication due to being "locked out", do not indicate this to the user;
however an Ambari server log message will be useful. 
> The normal "authentication failed" message should be returned as to not give away any
information about a user's authentication. 
> If a special "locked out" message is shown, then a hacker will be able to attempt a brute
force attack on a user's account since the returned error message will be different if they
eventually succeed in guessing the password.
> To "unlock" the user, a user administrator (a user with the AMBARI.MANAGE_USERS authorization)
needs to reset the user's consecutive failure count to 0.
> By default the authentication.max.failures should be 10; however 0 should indicate that
no lockout is desired.

This message was sent by Atlassian JIRA

View raw message