Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Ambari lockout on default authentication

Labels:
avatar
author-rank RyanCicak author-rank
Guru

Created ‎05-31-2016 10:09 PM

If I'm using the defaulted authentication/authorization for Ambari "By default, Ambari uses an internal database as the user store for authentication and authorization", are there any plugins or future plans to add lockouts (on too many failed login attempts)? I just recently watched a video that stated "in the cloud - Ambari can be a target for hackers with default credentials". Aside from changing the admin password - brute force techniques can still be used, correct? To my knowledge, unless I configure Ambari with LDAP (that uses a lockout time), there is no way to currently set lockouts in Ambari - is this correct?

1,675 Views
1 ACCEPTED SOLUTION

avatar
author-rank jeff1
Guru

Created ‎06-01-2016 06:27 PM

Correct, there is no current "lockout" feature in Ambari when using the default Local user store. Please file an Improvement JIRA in Ambari project. This is a good enhancements to consider.

Note: You can set users as Active/Inactive if you want to lockout users.

And also Note: it's always best practice to make sure to change the default password for the admin user out of the box.

View solution in original post

1,326 Views
0 Kudos
3 REPLIES 3

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎06-01-2016 01:53 AM

@Ryan Cicak natively through ambari I am not aware of this feature. However, ambari use a backend db of your choice and from there you can set lockout at the db level. for example if you have oracle or postgres db as the backend for ambari, can can specify number of attempts before lock out. This will need to be tested. On the other hand it may not work since you may have to do a ambari server reset after the password has been changed. Since that is the case I believe the password may be store in memory. In that case then no work around for too many attempts I know of.

1,326 Views

avatar
author-rank ravi1 author-rank
Guru

Created ‎06-01-2016 07:05 PM

Lockout is not at DB level here since we are not authenticating with DB username/password but ambari username/password. So, I don't think there will be a way to lockout at DB level. It has to be implemented at ambari application level, and as @jeff pointed out, can be an enhancement

1,326 Views
0 Kudos

avatar
author-rank jeff1
Guru

Created ‎06-01-2016 06:27 PM

Correct, there is no current "lockout" feature in Ambari when using the default Local user store. Please file an Improvement JIRA in Ambari project. This is a good enhancements to consider.

Note: You can set users as Active/Inactive if you want to lockout users.

And also Note: it's always best practice to make sure to change the default password for the admin user out of the box.

1,327 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements