Help Center/ MapReduce Service/ User Guide/ Managing Clusters/ Managing MRS Cluster Users/ Configuring Password Policies for MRS Cluster Users
Updated on 2024-10-25 GMT+08:00

Configuring Password Policies for MRS Cluster Users

To keep up with service security requirements, you can set password security rules, user login security rules, and user locking rules on Manager.

  • Modify password policies based on service security requirements, because they involve user management security. Otherwise, security risks may be incurred.
  • Change the user password after modifying the password policy, and then the new password policy can take effect.
  • This password policy is used for human-machine users created on Manager. A maximum of 32 password policies can be created. This operation is supported in MRS 3.1.2 and later only.

Adding a Password Policy

  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > Security Policy > Password Policy.
  3. Click Add Password Policy and modify the password policy as prompted.

    For details about the parameters, see Table 1.
    Table 1 Password policy parameters

    Parameter

    Description

    Password Policy Name

    The value is a string of 3 to 32 characters, including case-insensitive letters, digits, underscores (_), and hyphens (-). It cannot start with a hyphen (-).

    Minimum Password Length

    Indicates the minimum number of characters a password contains. The value ranges from 8 to 32.

    Character Types

    Indicates how many character types in the following types a password can contain at least: uppercase letters, lowercase letters, digits, spaces, and special characters (~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=). The value can be 4 or 5. The default value is 4, which means that a password can contain uppercase letters, lowercase letters, digits, and special characters. If you set the parameter to 5, a password can contain all the five character types mentioned above.

    Password Retries

    Indicates the number of consecutive wrong password attempts allowed before the system locks the user. The value ranges from 3 to 30.

    User Lock Duration (Min)

    Indicates the time period in which a user is locked when the user lockout conditions are met. The value ranges from 5 to 120.

    Password Validity Period (Day)

    Indicates the validity period of a password. The value ranges from 0 to 90. 0 indicates that the password is permanently valid.

    Repetition Rule

    Indicates the number of previous passwords that cannot be reused when you change the password. The value ranges from 1 to 5. The default value is 1.

    This policy applies to only human-machine accounts.

    Password Expiration Notification (Days)

    Indicates the number of days in advance users are notified that their passwords are about to expire. After the value is set, if the difference between the cluster time and the password expiration time is smaller than this value, the user receives password expiration notifications. When a user logs in to Manager, a message is displayed, indicating that the password is about to expire and asking the user whether to change the password. The value ranges from 0 to X (X must be set to the half of the password validity period and rounded down). Value 0 indicates that no notification is sent. The default value is 5.

    Interval for Deleting Authentication Failure Records (Min)

    Indicates the interval of retaining incorrect password attempts. The value ranges from 0 to 1440. 0 indicates that incorrect password attempts are permanently retained, and 1440 indicates that incorrect password attempts are retained for one day.

  4. Click OK to save the configurations.

    A new user uses the default password policy. After a new password policy is created, you can manually select the password policy when creating a user. You can modify the password policy of an existing user. For details, see Modifying MRS Cluster User Information.

  5. To delete a manually added password policy, perform the following operations:

    Click Delete in the row that contains the target password policy. In the dialog box that is displayed, click OK.

    The default password policy and the password policy that has been bound to a user cannot be deleted.

Modifying a Password Policy

  1. Log in to Manager.
  2. Enter the password policy configuration page.

    • For MRS 2.x and earlier versions: Choose System > Password Policy Configuration.
    • For MRS 3.x and later versions, choose System > Permission > Security Policy > Password Policy, and click Modify in the row that contains the password policy you want to modify.

  3. Modify password policies as prompted.

    Table 2 Password policy parameters

    Parameter

    Description

    Minimum Password Length

    Indicates the minimum number of characters a password contains. The value ranges from 8 to 32. The default value is 8.

    Character Types

    Indicates how many character types in the following types a password can contain at least: uppercase letters, lowercase letters, digits, spaces, and special characters (~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=).

    • For MRS 3.x and later versions, the value can be 4 or 5. The default value is 4, which means that a password can contain uppercase letters, lowercase letters, digits, and special characters. If you set the parameter to 5, a password can contain all the five character types mentioned above.
    • For MRS2.x and earlier versions, the value can be 3 or 4. The default value 3 indicates that the password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, special characters, and spaces.

    Password Retries

    Indicates the number of consecutive wrong password attempts allowed before the system locks the user. The value ranges from 3 to 30. The default value is 5.

    User Lock Duration (Min)

    Indicates the time period in which a user is locked when the user lockout conditions are met. The value ranges from 5 to 120. The default value is 5.

    Password Validity Period (Day)

    Indicates the validity period (days) of a password. The value ranges from 0 to 90. Value 0 means that the password is permanently valid. The default value is 90.

    Repetition Rule

    Indicates the number of previous passwords that cannot be reused when you change the password. The value ranges from 1 to 5. The default value is 1. This parameter is required for clusters of MRS 3.x or later.

    This policy applies to only human-machine accounts.

    Password Expiration Notification (Days)

    Indicates the number of days in advance users are notified that their passwords are about to expire. After the value is set, if the difference between the cluster time and the password expiration time is smaller than this value, the user receives password expiration notifications. When a user logs in to Manager, a message is displayed, indicating that the password is about to expire and asking the user whether to change the password. The value ranges from 0 to X (X must be set to the half of the password validity period and rounded down). Value 0 indicates that no notification is sent. The default value is 5.

    Interval for Deleting Authentication Failure Records (Min)

    Indicates the interval (minutes) of retaining incorrect password attempts. The value ranges from 0 to 1440. 0 indicates that incorrect password attempts are permanently retained, and 1440 indicates that incorrect password attempts are retained for one day. The default value is 5.

  4. Click OK to save the configurations. Change the user password after modifying the password policy, and then the new password policy can take effect.

    For MRS 3.1.2 and later:

    • Users (except admin) cannot modify their own password policies.
    • When a user's password policy is updated, the password's remaining validity period is adjusted as follows: if it is longer than the new policy's validity period, it is shortened to match the new policy; otherwise, it remains unchanged.