Password Policies in the Denodo Platform and Solution Manager¶
When you create a user account or change the password of an existing account, the password has to meet these policies:
Minimum length: eight characters or more.
Complexity requirements:
At least: one uppercase and one lowercase character, one digit and one symbol.
It cannot contain the same character repeated consecutively more than three times (e.g. “aaaaaa”).
No more than three consecutive digits (in ascending or descending order). E.g. “123” or “9876”.
It cannot contain the login name.
Users cannot reuse the same password they used the last three times they changed the password.
These policies affect all the modules of the Denodo Platform and the Solution Manager, including the password to access the configuration area of these modules:
Data Catalog: https://denodo-server.acme.com:9443/denodo-data-catalog/#/web-local-login
Design Studio: https://denodo-solution-manager.acme.com:19443/denodo-design-studio/#/web-local-login
Scheduler:
https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin/#/web-local-login
https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin/?auth=login/#/local-login
Important
Read the section Important Notes at the end of this page.
Policies that Are Disabled by Default in Virtual DataPort and Solution Manager¶
In addition to the policies listed above, the administrator can enable these policies, which are disabled by default:
Password Expiration¶
When you enable this policy, the passwords expire after a certain number of days (365, by default) after the last time the password was changed or the account was created.
Once the password expires, the user can no longer log in and has to change the password.
To enable this policy, create the file <DENODO_HOME>/conf/policyConfiguration.json
with this content:
{
"loginPolicy": {
"passwordExpirationConstraintConfiguration": {
"enabled": true,
"expirationInDays": 365
}
}
}
In “expirationInDays”, enter any integer equal or greater than 1.
Before enabling this password, consider that this policy causes many users enter predictable passwords (e.g. they enter the same password as before, with the current year at the end). In these cases, the next password can be predicted based on the previous password. In addition, this policy offers little benefit because attackers almost always use the credentials as soon as they get them.
Lock Account After Many Attempts to Log in with the Wrong Password¶
When you enable this policy, an account gets locked after trying to log in with an incorrect password 10 times in less than 60 minutes. After 60 minutes, the failed attempts are reset.
Both the number of times and the time to reset are configurable.
To enable this policy, create the file <DENODO_HOME>/conf/policyConfiguration.json
with this content:
{
"loginPolicy": {
"lockoutConstraintConfiguration": {
"enabled": true,
"maxFailedAttempts": 10,
"minutesToResetFailedAttempts": 60
}
}
}
If the file already exists, add the JSON array “lockoutConstraintConfiguration” to “loginPolicy”. For example:
{
"loginPolicy": {
"passwordExpirationConstraintConfiguration": {
"enabled": true,
"expirationInDays": 180
},
"lockoutConstraintConfiguration": {
"enabled": true,
"maxFailedAttempts": 5,
"minutesToResetFailedAttempts": 60
}
}
}
To unlock a locked account, an administrator has to execute this command:
ALTER USER <locked user>
CURRENT_PASSWORD '<your administrator password>'
UNLOCK;
To do this, the administrator has to log in with username and password (not with Kerberos nor Denodo SSO because these methods do not allow the administrator to unlock a user).
When All the Administrators are Locked Out of Virtual DataPort or Solution Manager¶
If all the administrator users are locked, follow these steps:
Connect to the host in which Denodo Platform or Solution Manager is installed, with an account that has privileges to modify the files of the installation.
Edit the file
<DENODO_HOME>/conf/vdp/VDBConfiguration.properties
and add this property:userRecoveryOnStartup=<temporary password>
Restart Virtual DataPort.
You can now log in with a new user account: “denodo_recovery_user” that has the password indicated in the step #2.
Unlock your own administrator account and log out.
Delete the recovery account (“denodo_recovery_user”).
If in the “VDBConfiguration.properties”, you want to store the password of the recovery account encrypted, do this:
Execute the script
<DENODO_HOME>/bin/encrypt_password
to encrypt the new password.In the file “VDBConfiguration.properties”, enter the password like this:
userRecoveryOnStartup=encrypted:<encrypted password>
Note
This process is the same to unlock an account of Solution Manager.
Note
The denodo_recovery_user is used to gain access to the server when all the administrator users have been locked
and also when the password for all administrator users have been forgotten. In these scenarios you will not be able to log
in the server neither change any administrator user password (since an administrator user is needed to execute an
ALTER USER PASSWORD
statement). Thus, the capability of creating a predefined administrator user is needed to ensure
a recovery mechanism is always available.
Note
To apply the recovery mechanism in a container environment follow the steps described in the Denodo Knowledge Base article How to Unlock a Denodo Administrator User in a Container Environment.
Important Notes¶
The password policies only affect the local user accounts of Virtual DataPort, Solution Manager, etc., and other local accounts. They do not affect users whose account is created in the Active Directory or the Identity Provider of your organization.
Regarding the policies that are disabled by default, if you enable them, they will only affect new accounts or to accounts whose password is changed after enabling the policy.
For example, if you enable the policy that causes the passwords to expire after N days, only new accounts and users that change their password will be affected. For the rest, their password will be valid forever.
Let us say you enable the policy that causes the passwords to expire and you want to enforce this policy to all the users, do this for all the user accounts:
Login as an administrator and execute this command:
DESC VQL USER "<user name>" ('includeUserPrivileges' = 'yes' , 'replaceExistingElements' = 'yes' , 'dropElements' = 'no');
Copy the output of this command and execute it.
Repeat this for each local user (to obtain all the users, execute
LIST USERS
).
These steps are necessary because the policy starts to affect the account when it is recreated.