You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Accounts, Domains, and Admin explained

1) Purpose:

CloudStack currently does not provide any check on the login attempts of users. A user can keep on trying to login to CloudStack without  getting disabled.

CS-10219 has been reported, which talks about limiting the login attempts of CloudStack users.

2) Domains, Accounts and Users:

CloudStack has a tiered structure of Domains, Accounts and Users. A Domain can have multiple accounts and an account can have multiple Users.The first domain created by default is ROOT Domain. The ROOT Domain has a default account named admin.This is the ROOT admin.

For each account created in CloudStack there is also a corresponding User created. Hence the ROOT domain will also have a User called admin.

For more refer

3) Restricting Login Attempts:

Global setting incorrect.login.attempts.allowed has a default value of 5 which can be changed to any positive integer.

Except for ROOT admin User and System User, every User can be disabled when the incorrect login attempts equals incorrect.login.attempts.allowed.

4) Functionality:

  • Every new User created gets a default value of login_attempts as 0.
  • This value gets incremented by 1 whenever the login is incorrect. A check is done on login_attempts < incorrect.login.attempts.allowed
  • Whenever the above condition fails the User is disabled, if however at any point the User makes a successful login, login_attempts again resets to 0.
  • A disabled user can be enabled by the ROOT admin. Whenever a User is enabled, login_attempts resets to 0.
  • The ROOT admin can't be disabled, he/she can enable a disabled User.

5) Future Scope:

  • Track failed logins across multiple usernames.
  • No labels