Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari lockout on default authentication

Solved Go to solution

Ambari lockout on default authentication

If I'm using the defaulted authentication/authorization for Ambari "By default, Ambari uses an internal database as the user store for authentication and authorization", are there any plugins or future plans to add lockouts (on too many failed login attempts)? I just recently watched a video that stated "in the cloud - Ambari can be a target for hackers with default credentials". Aside from changing the admin password - brute force techniques can still be used, correct? To my knowledge, unless I configure Ambari with LDAP (that uses a lockout time), there is no way to currently set lockouts in Ambari - is this correct?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ambari lockout on default authentication

Guru

Correct, there is no current "lockout" feature in Ambari when using the default Local user store. Please file an Improvement JIRA in Ambari project. This is a good enhancements to consider.

Note: You can set users as Active/Inactive if you want to lockout users.

And also Note: it's always best practice to make sure to change the default password for the admin user out of the box.

3 REPLIES 3

Re: Ambari lockout on default authentication

Super Guru

@Ryan Cicak natively through ambari I am not aware of this feature. However, ambari use a backend db of your choice and from there you can set lockout at the db level. for example if you have oracle or postgres db as the backend for ambari, can can specify number of attempts before lock out. This will need to be tested. On the other hand it may not work since you may have to do a ambari server reset after the password has been changed. Since that is the case I believe the password may be store in memory. In that case then no work around for too many attempts I know of.

Re: Ambari lockout on default authentication

Guru

Lockout is not at DB level here since we are not authenticating with DB username/password but ambari username/password. So, I don't think there will be a way to lockout at DB level. It has to be implemented at ambari application level, and as @jeff pointed out, can be an enhancement

Highlighted

Re: Ambari lockout on default authentication

Guru

Correct, there is no current "lockout" feature in Ambari when using the default Local user store. Please file an Improvement JIRA in Ambari project. This is a good enhancements to consider.

Note: You can set users as Active/Inactive if you want to lockout users.

And also Note: it's always best practice to make sure to change the default password for the admin user out of the box.

Don't have an account?
Coming from Hortonworks? Activate your account here