Project

General

Profile

Feature #25232

mgr/dashboard: Support minimum password complexity rules

Added by Paul Cuzner about 2 years ago. Updated 4 days ago.

Status:
Closed
Priority:
Normal
Category:
dashboard/usermgmt
Target version:
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

For local accounts, password should adhere to some basic complexity rules

Suggested rules;
- at least 6 chars in length
- must not be the same as the user account name
- consist of characters from the following groups
- alphabetic a-z, A-Z
- numbers 0-9
- special chars: !_@
- must use at least 1 special char


Related issues

Related to mgr - Feature #40248: mgr/dashboard: As a user, I want to change my password Closed
Related to mgr - Feature #25229: mgr/dashboard: Provide user enable/disable capability Closed
Related to mgr - Feature #24655: mgr/dashboard: Enforce password change upon first login Closed
Related to mgr - Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password Closed
Related to mgr - Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts New 05/22/2019
Related to mgr - Feature #41789: mgr/dashboard: Passwords have a minimum length Closed 09/12/2019
Related to mgr - Documentation #42165: mgr/dashboard: Document new password requirements in the installation documentation New 10/02/2019
Copied to mgr - Backport #46837: nautilus: mgr/dashboard: user management improvements (password change, password complexity, ...) Rejected

History

#1 Updated by Lenz Grimmer about 2 years ago

  • Subject changed from mgr/dashboard support minimum password complexity rules to mgr/dashboard: Support minimum password complexity rules

#2 Updated by Lenz Grimmer about 2 years ago

  • Category changed from dashboard/general to dashboard/usermgmt

#3 Updated by Lenz Grimmer over 1 year ago

  • Tags set to security
  • Target version deleted (v14.0.0)
  • Tags deleted (dashboard, user)

#4 Updated by Elzbieta Dziomdziora over 1 year ago

  • Assignee set to Elzbieta Dziomdziora

#5 Updated by Elzbieta Dziomdziora over 1 year ago

  • Status changed from New to In Progress

#6 Updated by Elzbieta Dziomdziora over 1 year ago

  • Status changed from In Progress to Fix Under Review
  • Pull request ID set to 28693

#7 Updated by Elzbieta Dziomdziora over 1 year ago

  • Pull request ID changed from 28693 to 28694

#8 Updated by Lenz Grimmer about 1 year ago

  • Target version set to v15.0.0

#9 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #40248: mgr/dashboard: As a user, I want to change my password added

#10 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #25229: mgr/dashboard: Provide user enable/disable capability added

#11 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #24655: mgr/dashboard: Enforce password change upon first login added

#12 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password added

#13 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts added

#14 Updated by Elzbieta Dziomdziora about 1 year ago

  • Pull request ID changed from 28694 to 29312

#15 Updated by Elzbieta Dziomdziora about 1 year ago

According to the coversation in PR28694 https://github.com/ceph/ceph/pull/28694 there are required rules:

Checks if it contains the username
Checks if it doesnt contains forbidden words (list of forbidden words: OSD, Host, Dashboard, Pool, Block, NFS, ceph, Monitors, Gateway, Logs, CRUSH, maps) <- maybe someone can add some words to the list.
Checks if the password the same as previous one
Checks if it has repetetive charackters(three or more identical charackters next to each other)
Checks if the password contains sequentials characters ( "1234")
Except for that there is a credit system:
Every password need to get a min rate of 10 credits.
For every character length a password gets +1 credit.
For having mixed upper & lowercase letters +2 credit.
For having numbers +1
For having symbols +3
For having non-western alphanumeric chars +5 credits

#16 Updated by Stephan Müller about 1 year ago

  • Related to Feature #41789: mgr/dashboard: Passwords have a minimum length added

#17 Updated by Nathan Cutler about 1 year ago

  • Status changed from Fix Under Review to New
  • Pull request ID deleted (29312)

#18 Updated by Nathan Cutler about 1 year ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 29532

#19 Updated by Lenz Grimmer 12 months ago

  • Status changed from Fix Under Review to Resolved

Thanks a lot for your contribution, Elżbieta!

#20 Updated by Lenz Grimmer 12 months ago

  • Related to Documentation #42165: mgr/dashboard: Document new password requirements in the installation documentation added

#21 Updated by Ernesto Puerta about 2 months ago

  • Status changed from Resolved to Pending Backport
  • Backport set to nautilus

#22 Updated by Ernesto Puerta about 2 months ago

  • Copied to Backport #46837: nautilus: mgr/dashboard: user management improvements (password change, password complexity, ...) added

#23 Updated by Ernesto Puerta 4 days ago

  • Status changed from Pending Backport to Closed
  • Backport deleted (nautilus)

For clean/safe backport it requires more than 11 additionall PRs

Closing.

Also available in: Atom PDF