Feature #40914
Feature #40907: mgr/dashboard: REST API improvements
mgr/dashboard: REST API: security
0%
Description
The following measures should be implemented:
- Failed login limit (after that, the user will be disabled).
- Rate limiting: per-user/token.
- Cache-control private for every response containing personal sensitive information.
Related issues
History
#1 Updated by anurag bandhu almost 4 years ago
- Assignee set to anurag bandhu
#2 Updated by Lenz Grimmer almost 4 years ago
- Related to Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts added
#3 Updated by Lenz Grimmer almost 4 years ago
Per our conversation during today's standup, let's split this issue up by moving "Rate limiting: per-user/token" and "Cache-control private for every response containing personal sensitive information" into separate issues and keep the focus of this issue on the limiting failed logins. However, I wonder if this isn't captured in #39999 already?
#4 Updated by Ernesto Puerta over 3 years ago
- Tags set to security
#5 Updated by Ernesto Puerta over 3 years ago
- Blocks Feature #47765: mgr/dashboard: security improvements added
#6 Updated by Aashish Sharma over 3 years ago
- Assignee changed from anurag bandhu to Aashish Sharma
#7 Updated by Aashish Sharma over 3 years ago
- Pull request ID set to 37912
#8 Updated by Aashish Sharma over 3 years ago
- Status changed from New to Fix Under Review
#9 Updated by Nizamudeen A over 3 years ago
- Assignee changed from Aashish Sharma to Nizamudeen A
- Pull request ID changed from 37912 to 38316
#10 Updated by Avan Thakkar over 3 years ago
- Status changed from Fix Under Review to Resolved
#11 Updated by Nizamudeen A about 3 years ago
- Status changed from Resolved to Pending Backport
- Backport set to octopus, nautilus
#12 Updated by Backport Bot about 3 years ago
- Copied to Backport #48794: octopus: mgr/dashboard: REST API: security added
#13 Updated by Backport Bot about 3 years ago
- Copied to Backport #48795: nautilus: mgr/dashboard: REST API: security added
#15 Updated by Nizamudeen A about 3 years ago
- Backport changed from octopus, nautilus to octopus
#16 Updated by Nathan Cutler about 3 years ago
- Backport changed from octopus to nautilus, octopus
Re-adding nautilus to backport field because, without it, the presence of the rejected nautilus backport issue causes the "backport-create-issue" script to complain:
ERROR:root:https://tracker.ceph.com/issues/40914 has more backport issues (,nautilus,octopus) than expected (octopus)
#18 Updated by Nathan Cutler about 3 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
#19 Updated by Ernesto Puerta almost 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 146 to General - Back-end