-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61501/
-----------------------------------------------------------
(Updated Aug. 10, 2017, 3:28 p.m.)
Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Robert Levas, and
Sebastian Toader.
Changes
-------
using audit log message that reflects the fact that the user was locked out due
to too many auth. falures
Bugs: AMBARI-21680
https://issues.apache.org/jira/browse/AMBARI-21680
Repository: ambari
Description
-------
Prevent users from authenticating if they exceed a configured number of login
failures, which is set as a configuration in the ambari.properties file -
authentication.max.failures.
After a users successfully authenticates, check the value of
org.apache.ambari.server.orm.entities.UserEntity#getConsecutiveFailures.
If it exceeds the value set in authentication.max.failures, then fail
authentication. Else allow authentication to proceed.
If failing authentication due to being "locked out", do not indicate this to
the user; however an Ambari server log message will be useful.
The normal "authentication failed" message should be returned as to not give
away any information about a user's authentication. If a special "locked out"
message is shown, then a hacker will be able to attempt a brute force attack on
a user's account since the returned error message will be different if they
eventually succeed in guessing the password.
To "unlock" the user, a user administrator (a user with the AMBARI.MANAGE_USERS
authorization) needs to reset the user's consecutive failure count to 0.
By default the authentication.max.failures should be 10; however 0 should
indicate that no lockout is desired.
Options
Diffs (updated)
-----
ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/users/UsersShowCtrl.js
200872e
ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js
43b32da
ambari-admin/src/main/resources/ui/admin-web/app/scripts/services/User.js
ac50653
ambari-admin/src/main/resources/ui/admin-web/app/views/users/show.html
f965c5d
ambari-server/docs/configuration/index.md 9dbe9c4
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
4f787c6
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
b52e2b1
ambari-server/src/main/java/org/apache/ambari/server/controller/UserRequest.java
d0836a9
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java
a2d9917
ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariAuthenticationEventHandlerImpl.java
3a5a66b
ambari-server/src/main/java/org/apache/ambari/server/security/authentication/TooManyLoginFailuresException.java
PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserProvider.java
2c8bf12
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLocalUserProviderTest.java
133fc9f
Diff: https://reviews.apache.org/r/61501/diff/2/
Changes: https://reviews.apache.org/r/61501/diff/1-2/
Testing
-------
1
- tried to log in 10 times with an incorrect password
- tried to log in with the correct password and received authentication failure
- reseted the counter
- logged in successfully with the correct password
2
- tried to log in 3 times with incorrect password
- checked that UI showed Login failures=3
- logged in successfully with the correct password
- checked the UI showed Login failures=0
3
- added authentication.max.failures=3 to ambari.properties
- repeated the first test
4
- added authentication.max.failures=0 to ambari.properties
- tried to log in 11 times with an incorrect password
- successfully logged in with the correct password
Results :
Tests run: 4841, Failures: 0, Errors: 0, Skipped: 33
----------------------------------------------------------------------
Total run:1145
Total errors:0
Total failures:0
OK
Ran 470 tests in 108.068s
Thanks,
Attila Magyar
