HUE-2014 [core] Lock Hue for nth failed log-in attempts for a user

Review Request #4260 — Created March 18, 2014 and updated

enricoberti, romain
commit 000f45f888bd81698d55b3940c8729fab338b223
Author: Abraham Elmahrek <>
Date:   Tue Mar 4 14:02:25 2014 -0800

    HUE-2014 [core] Lock Hue for nth failed log-in attempts for a user
    Lock users out after 'nth' attempt per username per session.
    This means that every new user will have 'n' attempts per username.
    Provide a switch for locking superusers out.

:100644 100644 7e2d1a1... 76cee4c... M	desktop/conf.dist/hue.ini
:100644 100644 58ab0ec... 12666ed... M	desktop/conf/pseudo-distributed.ini.tmpl
:100644 100644 6d82d7f... 91505e8... M	desktop/core/src/desktop/auth/
:100644 100644 0c56c6c... af5756e... M	desktop/core/src/desktop/auth/
:100644 100644 336713e... cf204ed... M	desktop/core/src/desktop/
Provided new tests to verify this.
  • 0
  • 0
  • 2
  • 1
  • 3
Description From Last Updated
  1. Nice! Just wondering about the end user XP?
  2. desktop/core/src/desktop/auth/ (Diff revision 1)
    I think we should delete the key on success if there is one?
  3. desktop/core/src/desktop/auth/ (Diff revision 1)
    Are we showing back something to the user?
    a 301 could be nice that way navigator can catch it?
Review request changed
  2. desktop/core/src/desktop/auth/ (Diff revision 2)
    I was looking at some middlewares or apps that provide do this, in the logic they also check for the IP that way I can't have you blocked if I know your username. Do we do something like that (ideally stick to one anonymous session by user)?
    1. They do it by IP address so that they simply don't clear their session and retry. I wanted to avoid this for now as it would require database changes. It's definitely a possibility though.
  3. desktop/core/src/desktop/templates/login.mako (Diff revision 2)
    Do we still display that if needed? (the login page is getting complicated)
    1. There's a condition above this one that will display the errors only if the form has errors.