USER MANUALS


Password Policies in the Denodo Platform and Solution Manager

When you create a user account or change the password of an existing account, the password has to meet these policies:

  • Minimum length: eight characters or more.

  • Complexity requirements:

    • At least: one uppercase and one lowercase character, one digit and one symbol.

    • It cannot contain the same character repeated consecutively more than three times (e.g. “aaaaaa”).

    • No more than three consecutive digits (in ascending or descending order). E.g. “123” or “9876”.

  • It cannot contain the login name.

  • Users cannot reuse the same password they used the last three times they changed the password.

These policies affect all the modules of the Denodo Platform and the Solution Manager, including the password to access the configuration area of these modules:

  • Data Catalog: https://denodo-server.acme.com:9443/denodo-data-catalog/#/web-local-login

  • Design Studio: https://denodo-solution-manager.acme.com:19443/denodo-design-studio/#/web-local-login

  • Scheduler:

    • https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin/#/web-local-login

    • https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin/?auth=login/#/local-login

Important

Read the section Important Notes at the end of this page.

Policies that Are Disabled by Default in Virtual DataPort and Solution Manager

In addition to the policies listed above, the administrator can enable these policies, which are disabled by default:

Password Expiration

When you enable this policy, the passwords expire after a certain number of days (365, by default) after the last time the password was changed or the account was created.

Once the password expires, the user can no longer log in and has to change the password.

To enable this policy, create the file <DENODO_HOME>/conf/policyConfiguration.json with this content:

Policy to enable “password expiration”
{
   "loginPolicy": {
      "passwordExpirationConstraintConfiguration": {
         "enabled": true,
         "expirationInDays": 365
      }
   }
}

In “expirationInDays”, enter any integer equal or greater than 1.

Before enabling this password, consider that this policy causes many users enter predictable passwords (e.g. they enter the same password as before, with the current year at the end). In these cases, the next password can be predicted based on the previous password. In addition, this policy offers little benefit because attackers almost always use the credentials as soon as they get them.

Lock Account After Many Attempts to Log in with the Wrong Password

When you enable this policy, an account gets locked after trying to log in with an incorrect password 10 times in less than 60 minutes. After 60 minutes, the failed attempts are reset.

Both the number of times and the time to reset are configurable.

To enable this policy, create the file <DENODO_HOME>/conf/policyConfiguration.json with this content:

Policy to control login attempts
{
   "loginPolicy": {
      "lockoutConstraintConfiguration": {
            "enabled": true,
            "maxFailedAttempts": 10,
            "minutesToResetFailedAttempts": 60
      }
   }
}

If the file already exists, add the JSON array “lockoutConstraintConfiguration” to “loginPolicy”. For example:

{
   "loginPolicy": {
      "passwordExpirationConstraintConfiguration": {
         "enabled": true,
         "expirationInDays": 180
      },

      "lockoutConstraintConfiguration": {
            "enabled": true,
            "maxFailedAttempts": 5,
            "minutesToResetFailedAttempts": 60
      }
   }
}

To unlock a locked account, an administrator has to execute this command:

ALTER USER <locked user>
    CURRENT_PASSWORD '<your administrator password>'
    UNLOCK;

To do this, the administrator has to log in with username and password (not with Kerberos nor Denodo SSO because these methods do not allow the administrator to unlock a user).

When All the Administrators are Locked Out of Virtual DataPort or Solution Manager

If all the administrator users are locked, follow these steps:

  1. Connect to the host in which Denodo Platform or Solution Manager is installed, with an account that has privileges to modify the files of the installation.

  2. Edit the file <DENODO_HOME>/conf/vdp/VDBConfiguration.properties and add this property:

    userRecoveryOnStartup=<temporary password>
    
  1. Restart Virtual DataPort.

  2. You can now log in with a new user account: “denodo_recovery_user” that has the password indicated in the step #2.

  3. Unlock your own administrator account and log out.

  4. Delete the recovery account (“denodo_recovery_user”).

If in the “VDBConfiguration.properties”, you want to store the password of the recovery account encrypted, do this:

  1. Execute the script <DENODO_HOME>/bin/encrypt_password to encrypt the new password.

  2. In the file “VDBConfiguration.properties”, enter the password like this:

    userRecoveryOnStartup=encrypted:<encrypted password>
    

Note

This process is the same to unlock an account of Solution Manager.

Note

The denodo_recovery_user is used to gain access to the server when all the administrator users have been locked and also when the password for all administrator users have been forgotten. In these scenarios you will not be able to log in the server neither change any administrator user password (since an administrator user is needed to execute an ALTER USER PASSWORD statement). Thus, the capability of creating a predefined administrator user is needed to ensure a recovery mechanism is always available.

Note

To apply the recovery mechanism in a container environment follow the steps described in the Denodo Knowledge Base article How to Unlock a Denodo Administrator User in a Container Environment.

Important Notes

  1. The password policies only affect the local user accounts of Virtual DataPort, Solution Manager, etc., and other local accounts. They do not affect users whose account is created in the Active Directory or the Identity Provider of your organization.

  2. Regarding the policies that are disabled by default, if you enable them, they will only affect new accounts or to accounts whose password is changed after enabling the policy.

    For example, if you enable the policy that causes the passwords to expire after N days, only new accounts and users that change their password will be affected. For the rest, their password will be valid forever.

    Let us say you enable the policy that causes the passwords to expire and you want to enforce this policy to all the users, do this for all the user accounts:

    1. Login as an administrator and execute this command:

      DESC VQL USER "<user name>" ('includeUserPrivileges' = 'yes'
          , 'replaceExistingElements' = 'yes'
          , 'dropElements' = 'no');
      
    2. Copy the output of this command and execute it.

    3. Repeat this for each local user (to obtain all the users, execute LIST USERS).

    These steps are necessary because the policy starts to affect the account when it is recreated.

Add feedback