This is an automated email from the ASF dual-hosted git repository.
rlevas pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 130fbbf [AMBARI-22876] Disable consecutive authentication failure
account lockout feature by default
130fbbf is described below
commit 130fbbfeba64cd33e037485041f8fb963c32c036
Author: Robert Levas <[email protected]>
AuthorDate: Tue Jan 30 12:33:29 2018 -0500
[AMBARI-22876] Disable consecutive authentication failure account lockout
feature by default
---
ambari-server/docs/configuration/index.md | 2 +-
.../ambari/server/configuration/Configuration.java | 2 +-
.../server/configuration/ConfigurationTest.java | 24 ++++++++++++++++++++++
.../pam/AmbariPamAuthenticationProviderTest.java | 15 +++++++++-----
4 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/ambari-server/docs/configuration/index.md
b/ambari-server/docs/configuration/index.md
index b6f0ed5..bdc012e 100644
--- a/ambari-server/docs/configuration/index.md
+++ b/ambari-server/docs/configuration/index.md
@@ -109,7 +109,7 @@ The following are the properties which can be used to
configure Ambari.
| authentication.ldap.userSearchFilter | A filter used to lookup a user in
LDAP based on the Ambari user name<br/><br/>The following are examples of valid
values:<ul><li>`(&({usernameAttribute}={0})(objectClass={userObjectClass}))`</ul>
|`(&({usernameAttribute}={0})(objectClass={userObjectClass}))` |
| authentication.ldap.username.forceLowercase | Declares whether to force the
ldap user name to be lowercase or leave as-is. This is useful when local user
names are expected to be lowercase but the LDAP user names are not. |`false` |
| authentication.ldap.usernameAttribute | The attribute used for determining
the user name, such as `uid`. |`uid` |
-| authentication.local.max.failures | The maximum number of authentication
attempts permitted to a local user. Once the number of failures reaches this
limit the user will be locked out. 0 indicates unlimited failures. |`10` |
+| authentication.local.max.failures | The maximum number of authentication
attempts permitted to a local user. Once the number of failures reaches this
limit the user will be locked out. 0 indicates unlimited failures. |`0` |
| authentication.local.show.locked.account.messages | Show or hide whether the
user account is disabled or locked out, if relevant, when an authentication
attempt fails. |`false` |
| authorization.ldap.adminGroupMappingRules | A comma-separate list of groups
which would give a user administrative access to Ambari when syncing from LDAP.
This is only used when `authorization.ldap.groupSearchFilter` is
blank.<br/><br/>The following are examples of valid
values:<ul><li>`administrators`<li>`Hadoop Admins,Hadoop Admins.*,DC
Admins,.*Hadoop Operators`</ul> |`Ambari Administrators` |
| authorization.ldap.groupSearchFilter | The DN to use when searching for LDAP
groups. | |
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 5c07304..a14a421 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -2521,7 +2521,7 @@ public class Configuration {
*/
@Markdown(description = "The maximum number of authentication attempts
permitted to a local user. Once the number of failures reaches this limit the
user will be locked out. 0 indicates unlimited failures.")
public static final ConfigurationProperty<Integer>
MAX_LOCAL_AUTHENTICATION_FAILURES = new ConfigurationProperty<>(
- "authentication.local.max.failures", 10);
+ "authentication.local.max.failures", 0);
/**
* A flag to determine whether locked out messages are to be shown to users,
if relevant, when authenticating into Ambari
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
index 098a998..cef8903 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.configuration;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.spy;
import static org.powermock.api.easymock.PowerMock.mockStatic;
@@ -955,4 +956,27 @@ public class ConfigurationTest {
}
}
+ @Test
+ public void testMaxAuthenticationFailureConfiguration() {
+ Configuration configuration;
+
+ // Test default value is 0
+ configuration = new Configuration();
+ assertEquals(0, configuration.getMaxAuthenticationFailures());
+
+ // Test configured value
+ Properties properties = new Properties();
+
properties.setProperty(Configuration.MAX_LOCAL_AUTHENTICATION_FAILURES.getKey(),
"10");
+ configuration = new Configuration(properties);
+ assertEquals(10, configuration.getMaxAuthenticationFailures());
+
+
properties.setProperty(Configuration.MAX_LOCAL_AUTHENTICATION_FAILURES.getKey(),
"not a number");
+ configuration = new Configuration(properties);
+ try {
+ configuration.getMaxAuthenticationFailures();
+ Assert.fail("Expected NumberFormatException");
+ } catch (NumberFormatException e) {
+ // This is expected
+ }
+ }
}
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
index 3d4c088..6a90ef7 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
@@ -22,6 +22,7 @@ import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.expectLastCall;
import java.util.Collections;
+import java.util.Properties;
import javax.persistence.EntityManager;
@@ -77,6 +78,14 @@ public class AmbariPamAuthenticationProviderTest extends
EasyMockSupport {
.addMockedMethod("getUser", UserEntity.class)
.createMock();
+ Properties properties = new Properties();
+ properties.setProperty(Configuration.CLIENT_SECURITY.getKey(),
ClientSecurityType.PAM.name());
+ properties.setProperty(Configuration.PAM_CONFIGURATION_FILE.getKey(),
"ambari-pam");
+
properties.setProperty(Configuration.SHOW_LOCKED_OUT_USER_MESSAGE.getKey(),
"true");
+
properties.setProperty(Configuration.MAX_LOCAL_AUTHENTICATION_FAILURES.getKey(),
"10");
+
+ final Configuration configuration = new Configuration(properties);
+
injector = Guice.createInjector(new AbstractModule() {
@Override
@@ -89,13 +98,9 @@ public class AmbariPamAuthenticationProviderTest extends
EasyMockSupport {
bind(PamAuthenticationFactory.class).toInstance(createMock(PamAuthenticationFactory.class));
bind(PasswordEncoder.class).toInstance(new StandardPasswordEncoder());
bind(Users.class).toInstance(users);
+ bind(Configuration.class).toInstance(configuration);
}
});
-
- Configuration configuration = injector.getInstance(Configuration.class);
- configuration.setClientSecurityType(ClientSecurityType.PAM);
- configuration.setProperty(Configuration.PAM_CONFIGURATION_FILE,
"ambari-pam");
- configuration.setProperty(Configuration.SHOW_LOCKED_OUT_USER_MESSAGE,
"true");
}
@Test(expected = AuthenticationException.class)
--
To stop receiving notification emails like this one, please contact
[email protected].
