Re: Review Request 73898: RANGER-2362: Limit Login Attempt Failure

Fri, 11 Mar 2022 08:10:49 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73898/#review224155
-----------------------------------------------------------



This approach seems to use in-memory tracking of failed login attempts; would 
this work when multiple instances of Ranger is deployed for HA? Ranger records 
all login attempts in x_auth_sess table. Consider quering this table to get 
count of failed login attempts in past n minutes, instead of using in-memory 
approach.

  SELECT count(1) FROM XXAuthSession obj
   WHERE obj.loginId = :loginId
     AND obj.createTime > :authnWindowStartTime
     AND obj.authStatus != 1

- Madhan Neethiraj


On March 11, 2022, 11:44 a.m., Kirby Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73898/
> -----------------------------------------------------------
> 
> (Updated March 11, 2022, 11:44 a.m.)
> 
> 
> Review request for ranger, Bhavik Bavishi, Abhay Kulkarni, Madhan Neethiraj, 
> and Pradeep Agrawal.
> 
> 
> Bugs: RANGER-2362
>     https://issues.apache.org/jira/browse/RANGER-2362
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2362
> 
> 
> Here is a simple demo code for discussion.
> 
> Hard-codeed:
> we limit 3 failures per 30 minutes. A successful login will reset the counter.
> 
> 
> BTW: I think the code of RangerAuthenticationProvider is a bit anti-pattern.
> 
> 1. We new RangerAuthenticationProvider at each time user login. It is 
> unreasonable, it should be a bean.
> 
> see RangerKRBAuthenticationFilter.java and RangerSSOAuthenticationFilter.java
> 
> 2. We new Jdbc/AD/Ldap/Pam authentication provider in 
> RangerAuthenticationProvider at each time user login.
> 
> 3. The member 'private LdapAuthenticator authenticator' seems useless
> 
> 4. The RangerAuthenticationProvider seem should be replaced with 
> ProviderManager or something like spring configuration.
> 
> 
> Diffs
> -----
> 
>   pom.xml 49a06411d0c5421a5abb33c9d32ea13e38655deb 
>   security-admin/pom.xml a2060e1c204f0399f39a79cb56280f6d09325e3a 
>   
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
>  8f7abbe7df3d0344c7b5b1af89f7322d82a0d238 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
>  52cf17ae191f8ac35710083dfcd257b8962d2d7f 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerLoginAttemptRateLimiter.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/73898/diff/1/
> 
> 
> Testing
> -------
> 
> Self tested
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Reply via email to