Project

General

Profile

Feature #40914

Feature #40907: mgr/dashboard: REST API improvements

mgr/dashboard: REST API: security

Added by Ernesto Puerta over 4 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
General - Back-end
Target version:
-
% Done:

0%

Source:
Tags:
security
Backport:
nautilus, octopus
Reviewed:
Affected Versions:
Pull request ID:

Description

The following measures should be implemented:
- Failed login limit (after that, the user will be disabled).
- Rate limiting: per-user/token.
- Cache-control private for every response containing personal sensitive information.


Related issues

Related to Dashboard - Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts Resolved
Blocks Dashboard - Feature #47765: mgr/dashboard: security improvements New
Copied to Dashboard - Backport #48794: octopus: mgr/dashboard: REST API: security Resolved
Copied to Dashboard - Backport #48795: nautilus: mgr/dashboard: REST API: security Rejected

History

#1 Updated by anurag bandhu almost 4 years ago

  • Assignee set to anurag bandhu

#2 Updated by Lenz Grimmer almost 4 years ago

  • Related to Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts added

#3 Updated by Lenz Grimmer almost 4 years ago

Per our conversation during today's standup, let's split this issue up by moving "Rate limiting: per-user/token" and "Cache-control private for every response containing personal sensitive information" into separate issues and keep the focus of this issue on the limiting failed logins. However, I wonder if this isn't captured in #39999 already?

#4 Updated by Ernesto Puerta over 3 years ago

  • Tags set to security

#5 Updated by Ernesto Puerta over 3 years ago

#6 Updated by Aashish Sharma over 3 years ago

  • Assignee changed from anurag bandhu to Aashish Sharma

#7 Updated by Aashish Sharma over 3 years ago

  • Pull request ID set to 37912

#8 Updated by Aashish Sharma over 3 years ago

  • Status changed from New to Fix Under Review

#9 Updated by Nizamudeen A over 3 years ago

  • Assignee changed from Aashish Sharma to Nizamudeen A
  • Pull request ID changed from 37912 to 38316

#10 Updated by Avan Thakkar over 3 years ago

  • Status changed from Fix Under Review to Resolved

#11 Updated by Nizamudeen A about 3 years ago

  • Status changed from Resolved to Pending Backport
  • Backport set to octopus, nautilus

#12 Updated by Backport Bot about 3 years ago

  • Copied to Backport #48794: octopus: mgr/dashboard: REST API: security added

#13 Updated by Backport Bot about 3 years ago

  • Copied to Backport #48795: nautilus: mgr/dashboard: REST API: security added

#15 Updated by Nizamudeen A about 3 years ago

  • Backport changed from octopus, nautilus to octopus

#16 Updated by Nathan Cutler about 3 years ago

  • Backport changed from octopus to nautilus, octopus

Re-adding nautilus to backport field because, without it, the presence of the rejected nautilus backport issue causes the "backport-create-issue" script to complain:

ERROR:root:https://tracker.ceph.com/issues/40914 has more backport issues (,nautilus,octopus) than     expected (octopus)

#18 Updated by Nathan Cutler about 3 years ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

#19 Updated by Ernesto Puerta almost 3 years ago

  • Project changed from mgr to Dashboard
  • Category changed from 146 to General - Back-end

Also available in: Atom PDF