You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2018/01/30 23:14:00 UTC
[ambari] branch trunk updated: [AMBARI-22876] Disable consecutive
authentication failure account lockout feature by default
This is an automated email from the ASF dual-hosted git repository.
rlevas pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 130fbbf [AMBARI-22876] Disable consecutive authentication failure account lockout feature by default
130fbbf is described below
commit 130fbbfeba64cd33e037485041f8fb963c32c036
Author: Robert Levas <rl...@hortonworks.com>
AuthorDate: Tue Jan 30 12:33:29 2018 -0500
[AMBARI-22876] Disable consecutive authentication failure account lockout feature by default
---
ambari-server/docs/configuration/index.md | 2 +-
.../ambari/server/configuration/Configuration.java | 2 +-
.../server/configuration/ConfigurationTest.java | 24 ++++++++++++++++++++++
.../pam/AmbariPamAuthenticationProviderTest.java | 15 +++++++++-----
4 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/ambari-server/docs/configuration/index.md b/ambari-server/docs/configuration/index.md
index b6f0ed5..bdc012e 100644
--- a/ambari-server/docs/configuration/index.md
+++ b/ambari-server/docs/configuration/index.md
@@ -109,7 +109,7 @@ The following are the properties which can be used to configure Ambari.
| authentication.ldap.userSearchFilter | A filter used to lookup a user in LDAP based on the Ambari user name<br/><br/>The following are examples of valid values:<ul><li>`(&({usernameAttribute}={0})(objectClass={userObjectClass}))`</ul> |`(&({usernameAttribute}={0})(objectClass={userObjectClass}))` |
| authentication.ldap.username.forceLowercase | Declares whether to force the ldap user name to be lowercase or leave as-is. This is useful when local user names are expected to be lowercase but the LDAP user names are not. |`false` |
| authentication.ldap.usernameAttribute | The attribute used for determining the user name, such as `uid`. |`uid` |
-| authentication.local.max.failures | The maximum number of authentication attempts permitted to a local user. Once the number of failures reaches this limit the user will be locked out. 0 indicates unlimited failures. |`10` |
+| authentication.local.max.failures | The maximum number of authentication attempts permitted to a local user. Once the number of failures reaches this limit the user will be locked out. 0 indicates unlimited failures. |`0` |
| authentication.local.show.locked.account.messages | Show or hide whether the user account is disabled or locked out, if relevant, when an authentication attempt fails. |`false` |
| authorization.ldap.adminGroupMappingRules | A comma-separate list of groups which would give a user administrative access to Ambari when syncing from LDAP. This is only used when `authorization.ldap.groupSearchFilter` is blank.<br/><br/>The following are examples of valid values:<ul><li>`administrators`<li>`Hadoop Admins,Hadoop Admins.*,DC Admins,.*Hadoop Operators`</ul> |`Ambari Administrators` |
| authorization.ldap.groupSearchFilter | The DN to use when searching for LDAP groups. | |
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 5c07304..a14a421 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -2521,7 +2521,7 @@ public class Configuration {
*/
@Markdown(description = "The maximum number of authentication attempts permitted to a local user. Once the number of failures reaches this limit the user will be locked out. 0 indicates unlimited failures.")
public static final ConfigurationProperty<Integer> MAX_LOCAL_AUTHENTICATION_FAILURES = new ConfigurationProperty<>(
- "authentication.local.max.failures", 10);
+ "authentication.local.max.failures", 0);
/**
* A flag to determine whether locked out messages are to be shown to users, if relevant, when authenticating into Ambari
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
index 098a998..cef8903 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
@@ -18,6 +18,7 @@
package org.apache.ambari.server.configuration;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.spy;
import static org.powermock.api.easymock.PowerMock.mockStatic;
@@ -955,4 +956,27 @@ public class ConfigurationTest {
}
}
+ @Test
+ public void testMaxAuthenticationFailureConfiguration() {
+ Configuration configuration;
+
+ // Test default value is 0
+ configuration = new Configuration();
+ assertEquals(0, configuration.getMaxAuthenticationFailures());
+
+ // Test configured value
+ Properties properties = new Properties();
+ properties.setProperty(Configuration.MAX_LOCAL_AUTHENTICATION_FAILURES.getKey(), "10");
+ configuration = new Configuration(properties);
+ assertEquals(10, configuration.getMaxAuthenticationFailures());
+
+ properties.setProperty(Configuration.MAX_LOCAL_AUTHENTICATION_FAILURES.getKey(), "not a number");
+ configuration = new Configuration(properties);
+ try {
+ configuration.getMaxAuthenticationFailures();
+ Assert.fail("Expected NumberFormatException");
+ } catch (NumberFormatException e) {
+ // This is expected
+ }
+ }
}
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
index 3d4c088..6a90ef7 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProviderTest.java
@@ -22,6 +22,7 @@ import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.expectLastCall;
import java.util.Collections;
+import java.util.Properties;
import javax.persistence.EntityManager;
@@ -77,6 +78,14 @@ public class AmbariPamAuthenticationProviderTest extends EasyMockSupport {
.addMockedMethod("getUser", UserEntity.class)
.createMock();
+ Properties properties = new Properties();
+ properties.setProperty(Configuration.CLIENT_SECURITY.getKey(), ClientSecurityType.PAM.name());
+ properties.setProperty(Configuration.PAM_CONFIGURATION_FILE.getKey(), "ambari-pam");
+ properties.setProperty(Configuration.SHOW_LOCKED_OUT_USER_MESSAGE.getKey(), "true");
+ properties.setProperty(Configuration.MAX_LOCAL_AUTHENTICATION_FAILURES.getKey(), "10");
+
+ final Configuration configuration = new Configuration(properties);
+
injector = Guice.createInjector(new AbstractModule() {
@Override
@@ -89,13 +98,9 @@ public class AmbariPamAuthenticationProviderTest extends EasyMockSupport {
bind(PamAuthenticationFactory.class).toInstance(createMock(PamAuthenticationFactory.class));
bind(PasswordEncoder.class).toInstance(new StandardPasswordEncoder());
bind(Users.class).toInstance(users);
+ bind(Configuration.class).toInstance(configuration);
}
});
-
- Configuration configuration = injector.getInstance(Configuration.class);
- configuration.setClientSecurityType(ClientSecurityType.PAM);
- configuration.setProperty(Configuration.PAM_CONFIGURATION_FILE, "ambari-pam");
- configuration.setProperty(Configuration.SHOW_LOCKED_OUT_USER_MESSAGE, "true");
}
@Test(expected = AuthenticationException.class)
--
To stop receiving notification emails like this one, please contact
rlevas@apache.org.