Support Questions

Find answers, ask questions, and share your expertise

Ambari lockout on default authentication

avatar

If I'm using the defaulted authentication/authorization for Ambari "By default, Ambari uses an internal database as the user store for authentication and authorization", are there any plugins or future plans to add lockouts (on too many failed login attempts)? I just recently watched a video that stated "in the cloud - Ambari can be a target for hackers with default credentials". Aside from changing the admin password - brute force techniques can still be used, correct? To my knowledge, unless I configure Ambari with LDAP (that uses a lockout time), there is no way to currently set lockouts in Ambari - is this correct?

1 ACCEPTED SOLUTION

avatar
Guru

Correct, there is no current "lockout" feature in Ambari when using the default Local user store. Please file an Improvement JIRA in Ambari project. This is a good enhancements to consider.

Note: You can set users as Active/Inactive if you want to lockout users.

And also Note: it's always best practice to make sure to change the default password for the admin user out of the box.

View solution in original post

3 REPLIES 3

avatar
Master Guru

@Ryan Cicak natively through ambari I am not aware of this feature. However, ambari use a backend db of your choice and from there you can set lockout at the db level. for example if you have oracle or postgres db as the backend for ambari, can can specify number of attempts before lock out. This will need to be tested. On the other hand it may not work since you may have to do a ambari server reset after the password has been changed. Since that is the case I believe the password may be store in memory. In that case then no work around for too many attempts I know of.

avatar
Guru

Lockout is not at DB level here since we are not authenticating with DB username/password but ambari username/password. So, I don't think there will be a way to lockout at DB level. It has to be implemented at ambari application level, and as @jeff pointed out, can be an enhancement

avatar
Guru

Correct, there is no current "lockout" feature in Ambari when using the default Local user store. Please file an Improvement JIRA in Ambari project. This is a good enhancements to consider.

Note: You can set users as Active/Inactive if you want to lockout users.

And also Note: it's always best practice to make sure to change the default password for the admin user out of the box.