Project

General

Profile

Feature #25232

Feature #47765: mgr/dashboard: security improvements

mgr/dashboard: Support minimum password complexity rules

Added by Paul Cuzner almost 3 years ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Category:
Component - Users & Roles
Target version:
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

For local accounts, password should adhere to some basic complexity rules

Suggested rules;
- at least 6 chars in length
- must not be the same as the user account name
- consist of characters from the following groups
- alphabetic a-z, A-Z
- numbers 0-9
- special chars: !_@
- must use at least 1 special char


Related issues

Related to Dashboard - Feature #40248: mgr/dashboard: As a user, I want to change my password Closed
Related to Dashboard - Feature #25229: mgr/dashboard: Provide user enable/disable capability Closed
Related to Dashboard - Feature #24655: mgr/dashboard: Enforce password change upon first login Closed
Related to Dashboard - Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password Closed
Related to Dashboard - Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts Resolved
Related to Dashboard - Feature #41789: mgr/dashboard: Passwords have a minimum length Closed
Related to Dashboard - Documentation #42165: mgr/dashboard: Document new password requirements in the installation documentation New
Copied to Dashboard - Backport #46837: nautilus: mgr/dashboard: user management improvements (password change, password complexity, ...) Rejected

History

#1 Updated by Lenz Grimmer almost 3 years ago

  • Subject changed from mgr/dashboard support minimum password complexity rules to mgr/dashboard: Support minimum password complexity rules

#2 Updated by Lenz Grimmer almost 3 years ago

  • Category changed from dashboard/general to dashboard/usermgmt

#3 Updated by Lenz Grimmer about 2 years ago

  • Tags set to security
  • Target version deleted (v14.0.0)
  • Tags deleted (dashboard, user)

#4 Updated by Elzbieta Dziomdziora about 2 years ago

  • Assignee set to Elzbieta Dziomdziora

#5 Updated by Elzbieta Dziomdziora about 2 years ago

  • Status changed from New to In Progress

#6 Updated by Elzbieta Dziomdziora about 2 years ago

  • Status changed from In Progress to Fix Under Review
  • Pull request ID set to 28693

#7 Updated by Elzbieta Dziomdziora about 2 years ago

  • Pull request ID changed from 28693 to 28694

#8 Updated by Lenz Grimmer almost 2 years ago

  • Target version set to v15.0.0

#9 Updated by Lenz Grimmer almost 2 years ago

  • Related to Feature #40248: mgr/dashboard: As a user, I want to change my password added

#10 Updated by Lenz Grimmer almost 2 years ago

  • Related to Feature #25229: mgr/dashboard: Provide user enable/disable capability added

#11 Updated by Lenz Grimmer almost 2 years ago

  • Related to Feature #24655: mgr/dashboard: Enforce password change upon first login added

#12 Updated by Lenz Grimmer almost 2 years ago

  • Related to Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password added

#13 Updated by Lenz Grimmer almost 2 years ago

  • Related to Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts added

#14 Updated by Elzbieta Dziomdziora almost 2 years ago

  • Pull request ID changed from 28694 to 29312

#15 Updated by Elzbieta Dziomdziora almost 2 years ago

According to the coversation in PR28694 https://github.com/ceph/ceph/pull/28694 there are required rules:

Checks if it contains the username
Checks if it doesnt contains forbidden words (list of forbidden words: OSD, Host, Dashboard, Pool, Block, NFS, ceph, Monitors, Gateway, Logs, CRUSH, maps) <- maybe someone can add some words to the list.
Checks if the password the same as previous one
Checks if it has repetetive charackters(three or more identical charackters next to each other)
Checks if the password contains sequentials characters ( "1234")
Except for that there is a credit system:
Every password need to get a min rate of 10 credits.
For every character length a password gets +1 credit.
For having mixed upper & lowercase letters +2 credit.
For having numbers +1
For having symbols +3
For having non-western alphanumeric chars +5 credits

#16 Updated by Stephan Müller almost 2 years ago

  • Related to Feature #41789: mgr/dashboard: Passwords have a minimum length added

#17 Updated by Nathan Cutler almost 2 years ago

  • Status changed from Fix Under Review to New
  • Pull request ID deleted (29312)

#18 Updated by Nathan Cutler almost 2 years ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 29532

#19 Updated by Lenz Grimmer over 1 year ago

  • Status changed from Fix Under Review to Resolved

Thanks a lot for your contribution, Elżbieta!

#20 Updated by Lenz Grimmer over 1 year ago

  • Related to Documentation #42165: mgr/dashboard: Document new password requirements in the installation documentation added

#21 Updated by Ernesto Puerta 11 months ago

  • Status changed from Resolved to Pending Backport
  • Backport set to nautilus

#22 Updated by Ernesto Puerta 11 months ago

  • Copied to Backport #46837: nautilus: mgr/dashboard: user management improvements (password change, password complexity, ...) added

#23 Updated by Ernesto Puerta 9 months ago

  • Status changed from Pending Backport to Closed
  • Backport deleted (nautilus)

For clean/safe backport it requires more than 11 additionall PRs

Closing.

#24 Updated by Ernesto Puerta 9 months ago

  • Parent task set to #47765

#25 Updated by Ernesto Puerta 2 months ago

  • Project changed from mgr to Dashboard
  • Category changed from dashboard/usermgmt to Component - Users & Roles

Also available in: Atom PDF