[
https://issues.apache.org/jira/browse/AMBARI-21680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16330911#comment-16330911
]
Hudson commented on AMBARI-21680:
---------------------------------
FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #8613 (See
[https://builds.apache.org/job/Ambari-trunk-Commit/8613/])
AMBARI-21680. Prevent users from authenticating if they exceed a (amagyar:
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=3cefb74cdae3a836ee1896a30dca713e44b95f98])
* (edit)
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserProvider.java
* (edit)
ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariAuthenticationEventHandlerImpl.java
* (edit) ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
* (add)
ambari-server/src/main/java/org/apache/ambari/server/security/authentication/TooManyLoginFailuresException.java
* (edit)
ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
* (edit)
ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersShowCtrl.js
* (edit)
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
* (edit)
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
* (edit)
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
* (edit)
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLocalUserProviderTest.java
* (edit) ambari-admin/src/main/resources/ui/admin-web/app/views/users/show.html
* (edit) ambari-server/docs/configuration/index.md
* (edit)
ambari-server/src/main/java/org/apache/ambari/server/controller/UserRequest.java
> Prevent users from authenticating if they exceed a configured number of login
> failures
> --------------------------------------------------------------------------------------
>
> Key: AMBARI-21680
> URL: https://issues.apache.org/jira/browse/AMBARI-21680
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 3.0.0
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Fix For: 3.0.0
>
> Attachments: AMBARI-21680.patch
>
>
> Prevent users from authenticating if they exceed a configured number of login
> failures, which is set as a configuration in the ambari.properties file -
> authentication.max.failures.
> After a users successfully authenticates, check the value of
> org.apache.ambari.server.orm.entities.UserEntity#getConsecutiveFailures.
> If it exceeds the value set in authentication.max.failures, then fail
> authentication. Else allow authentication to proceed.
> If failing authentication due to being "locked out", do not indicate this to
> the user; however an Ambari server log message will be useful.
> The normal "authentication failed" message should be returned as to not give
> away any information about a user's authentication.
> If a special "locked out" message is shown, then a hacker will be able to
> attempt a brute force attack on a user's account since the returned error
> message will be different if they eventually succeed in guessing the password.
> To "unlock" the user, a user administrator (a user with the
> AMBARI.MANAGE_USERS authorization) needs to reset the user's consecutive
> failure count to 0.
> By default the authentication.max.failures should be 10; however 0 should
> indicate that no lockout is desired.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
