-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add constraints on invalid password attempts #3573
Conversation
97b9677
to
d7f7080
Compare
using UserPasswordMap = std::unordered_map<std::string, std::string>; | ||
// Mapping of user name and remaining wrong password attempts | ||
using UserPasswordAttemptsRemain = std::unordered_map<std::string, uint32>; | ||
// Mapping of user name and the timestamp when the account is locked | ||
using UserLoginLockTime = std::unordered_map<std::string, uint32>; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could these 3 map be merged to one map?
eg.
std::unordered_map<std::string, PassInfo>.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've considered this, but UserPasswordMap
is used in the localThreadCache
as a read-only object, and the rest two objects require both read and write. I believe we could keep it like this for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What type of PR is this?
What does this PR do?
Which issue(s)/PR(s) this PR relates to?
Close #2442
Special notes for your reviewer, ex. impact of this fix, etc:
Introducing 2 new gflags:
failed_login_attempts
how many consecutive incorrect passwords input to a SINGLE graph service node cause the account to become locked.
Please note that this flag is functioning on a SINGLE graph node, for example, if there are 3 graph nodes and each node has a
failed_login_attempts
set to 3, this allows a user to input an invalid password for a total of 9 times (3 times per node).password_lock_time_in_secs
how long to lock the account after too many consecutive login attempts provide an incorrect password
By default, both glags have a value of 0, which means there is no limitation on login attempts.
For now, these configs function on all users rather than bound to a specific user.
Additional context/ Design document:
Checklist:
Release notes:
Please confirm whether to be reflected in release notes and how to describe: