Skip to content

Commit 59f3806

Browse files
svetlana-efimovaachuribooks
svetlana-efimova
and
achuribooks
authored
docs: Document Local UI login security behaviour (#8341)
* Rebase * Revert teh field order * Rename boolean parameter, add agent version * Fix formatting * Empty commit to trigger Netlify * Update docs/docs-content/clusters/edge/local-ui/host-management/access-console.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update docs/docs-content/clusters/edge/local-ui/host-management/access-console.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update docs/docs-content/clusters/edge/local-ui/host-management/access-console.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update docs/docs-content/clusters/edge/edge-configuration/installer-reference.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update docs/docs-content/clusters/edge/edge-configuration/installer-reference.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update docs/docs-content/release-notes/release-notes.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update docs/docs-content/clusters/edge/edge-configuration/installer-reference.md Co-authored-by: Amanda Churi Filanowski <[email protected]> * Update installer-reference.md * ci: auto-formatting prettier issues * Update installer-reference.md * ci: auto-formatting prettier issues --------- Co-authored-by: Amanda Churi Filanowski <[email protected]> Co-authored-by: svetlana-efimova <[email protected]>
1 parent 321634c commit 59f3806

File tree

4 files changed

+44
-16
lines changed

4 files changed

+44
-16
lines changed

docs/docs-content/clusters/edge/edge-configuration/installer-reference.md

Lines changed: 20 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -26,22 +26,26 @@ These parameters start with the prefix `stylus`. Palette agent parameters contro
2626
configuration, including networking, logging, services, as well as users and permissions. Parameters in this section are
2727
listed in alphabetical order.
2828

29-
| Parameter | Description | Type | Default |
30-
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----------- |
31-
| `stylus.debug` | Enable this parameter for debug output. Allowed values are `true` or `false`. | boolean | `false` |
32-
| `stylus.disablePasswordUpdate` | Disables the ability to update Operating System (OS) user passwords from the Local UI if set to true. Updating the password through the OS and API is still allowed. | boolean | `false` |
33-
| `stylus.enableMultiNode` | When set to `true`, the host can link with other nodes to form a multi-node cluster. For more information, refer to [Link Hosts](../local-ui/cluster-management/link-hosts.md). | boolean | `false` |
34-
| `stylus.externalRegistries` | Use this parameter to configure multiple external registries and apply domain re-mapping rules. Refer to [Multiple External Registries](#multiple-external-registries) for more details. | Object | None |
35-
| `stylus.featureGate` | This parameter contains a comma-separated list of features you want to enable on your host. | String | `''` |
36-
| `stylus.includeTui` | Enable Palette TUI for initial Edge host configuration. For more information, refer to [Initial Edge Host Configuration](../site-deployment/site-installation/initial-setup.md). | boolean | `false` |
37-
| `stylus.installationMode` | (Deprecated) Allowed values are `connected` and `airgap`. `connected` means the Edge host is connected to Palette; `airgap` means the Edge host has no connection. This parameter has been deprecated and will be removed in an future release. Use the `stylus.managementMode` parameter instead. | String | `connected` |
38-
| `stylus.localUI.port` | Specifies the port that the Local UI is exposed on. | Integer | `5080` |
39-
| `stylus.managementMode` | Allowed values are `local` and `central`. `central` means the Edge host is connected to Palette; `local` means the Edge host has no connection to a Palette instance. | String | `central` |
40-
| `stylus.path` | Specifies Stylus installation directory. Stylus appends its internal layout, `/opt/spectrocloud`, to this path. If you omit this parameter, the system uses `/` as the default root and installs Stylus to `/opt/spectrocloud`. | String | `/` |
41-
| `stylus.registryCredentials` | Only used when a single external registry is in use and no mapping rules are needed. Refer to [Single External Registry](#single-external-registry) for more details. | Object | None |
42-
| `stylus.site` | Review [Site Parameters](#site-parameters) for more information. | Object | None |
43-
| `stylus.trace` | Enable trace output. Allowed values are `true` or `false`. | boolean | `false` |
44-
| `stylus.vip.skip` | When set to `true`, the installer skips the configuration of kube-vip and enables the use of an external load balancer instead. | boolean | `false` |
29+
| Parameter | Description | Type | Default |
30+
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | ----------- |
31+
| `stylus.debug` | Enable this parameter for debug output. Allowed values are `true` or `false`. | boolean | `false` |
32+
| `stylus.disablePasswordUpdate` | Disables the ability to update Operating System (OS) user passwords from Local UI if set to true. Updating the password through the OS and API is still allowed. | boolean | `false` |
33+
| `stylus.enableMultiNode` | When set to `true`, the host can link with other nodes to form a multi-node cluster. For more information, refer to [Link Hosts](../local-ui/cluster-management/link-hosts.md). | boolean | `false` |
34+
| `stylus.externalRegistries` | Use this parameter to configure multiple external registries and apply domain re-mapping rules. Refer to [Multiple External Registries](#multiple-external-registries) for more details. | Object | None |
35+
| `stylus.featureGate` | This parameter contains a comma-separated list of features you want to enable on your host. | String | `''` |
36+
| `stylus.includeTui` | Enable Palette TUI for initial Edge host configuration. For more information, refer to [Initial Edge Host Configuration](../site-deployment/site-installation/initial-setup.md). | boolean | `false` |
37+
| `stylus.installationMode` | (Deprecated) Allowed values are `connected` and `airgap`. `connected` means the Edge host is connected to Palette; `airgap` means the Edge host has no connection. This parameter has been deprecated and will be removed in an future release. Use the `stylus.managementMode` parameter instead. | String | `connected` |
38+
| `stylus.localUI.login.attemptsBeforeExponentialDelayStarts` | Number of consecutive failed Local UI login attempts before the exponential delay begins. After this threshold, each additional failed attempt doubles the wait time before the user can attempt to log in again. This parameter takes effect only when `stylus.localUI.login.disableRateLimiting` is set to `false` and is supported for Edge hosts built with Palette agent version 4.7.c-canvos or later. | Integer | `3` |
39+
| `stylus.localUI.login.disableRateLimiting` | When set to `false`, Local UI enforces a short delay after several consecutive failed login attempts and temporarily blocks the user's access. This parameter is supported for Edge hosts built with Palette agent version 4.7.c-canvos or later. | boolean | `false` |
40+
| `stylus.localUI.login.lockoutDurationInMinutes` | Duration in minutes that Local UI login remains blocked after the user reaches the maximum number of unsuccessful login attempts. This parameter takes effect only when `stylus.localUI.login.disableRateLimiting` is set to `false` and is supported for Edge hosts built with Palette agent version 4.7.c-canvos or later. | Integer | `15` |
41+
| `stylus.localUI.login.maxFailedAttemptsBeforeLockout` | Number of consecutive failed login attempts allowed before Local UI access is temporarily locked for the user. This parameter takes effect only when `stylus.localUI.login.disableRateLimiting` is set to `false` and is supported for Edge hosts built with Palette agent version 4.7.c-canvos or later. | Integer | `5` |
42+
| `stylus.localUI.port` | Specifies the port that Local UI is exposed on. | Integer | `5080` |
43+
| `stylus.managementMode` | Allowed values are `local` and `central`. `central` means the Edge host is connected to Palette; `local` means the Edge host has no connection to a Palette instance. | String | `central` |
44+
| `stylus.path` | Specifies Stylus installation directory. Stylus appends its internal layout, `/opt/spectrocloud`, to this path. If you omit this parameter, the system uses `/` as the default root and installs Stylus to `/opt/spectrocloud`. | String | `/` |
45+
| `stylus.registryCredentials` | Only used when a single external registry is in use and no mapping rules are needed. Refer to [Single External Registry](#single-external-registry) for more details. | Object | None |
46+
| `stylus.site` | Review [Site Parameters](#site-parameters) for more information. | Object | None |
47+
| `stylus.trace` | Enable trace output. Allowed values are `true` or `false`. | boolean | `false` |
48+
| `stylus.vip.skip` | When set to `true`, the installer skips the configuration of kube-vip and enables the use of an external load balancer instead. | boolean | `false` |
4549

4650
:::warning
4751

docs/docs-content/clusters/edge/local-ui/host-management/access-console.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,19 @@ This page guides you through how access the console, and log in, and manage your
3232

3333
3. You will be prompted to log in. Enter your username and password to log in.
3434

35+
#### Login Security Behavior
36+
37+
In case of several consecutive unsuccessful login attempts, Local UI enforces a short delay before you can attempt to
38+
log in again. The delay starts at one second and doubles with each subsequent failed attempt. By default, the delay
39+
mechanism begins after three unsuccessful login attempts.
40+
41+
If you reach the maximum number of consecutive unsuccessful login attempts, Local UI temporarily blocks access for your
42+
user. By default, this lockout occurs after five consecutive failed attempts and lasts for 15 minutes.
43+
44+
You can customize the default values in the `user-data` file for Edge hosts built with Palette agent version
45+
4.7.c-canvos or later. For more information, refer to the `stylus.localUI.login` parameters description in the
46+
[Edge Installer Configuration Reference](../../edge-configuration/installer-reference.md#palette-agent-parameters).
47+
3548
### Validate
3649

3750
A successful login directs you to the Edge management console. Displayed is an overview of your Edge host.

docs/docs-content/clusters/edge/local-ui/host-management/edit-user-data.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ After an edit has been made, the new settings will apply after the host reboots.
2828
- `stylus.site.tagsFromFile`
2929
- `stylus.site.tagsFromScript`
3030
- `stylus.site.remoteShell.disable`
31+
- `stylus.localUI.login.attemptsBeforeExponentialDelayStarts`
32+
- `stylus.localUI.login.disableRateLimiting`
33+
- `stylus.localUI.login.lockoutDurationInMinutes`
34+
- `stylus.localUI.login.maxFailedAttemptsBeforeLockout`
3135
- `stylus.localUI.port`
3236
- `stylus.includeTui`
3337
- `stylus.debug`

docs/docs-content/release-notes/release-notes.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,13 @@ tags: ["release-notes"]
5050

5151
<!-- prettier-ignore-end -->
5252

53+
- Local UI now supports configurable rate limiting and account lockout to protect against repeated failed login
54+
attempts. By default, Local UI applies an increasing delay after three consecutive failed login attempts and
55+
temporarily blocks access after five failures for 15 minutes. These settings can be customized in the `user-data` file
56+
for Edge hosts built with Palette agent version 4.7.c-canvos or later. For more information, refer to the
57+
`stylus.localUI.login` parameters description in the
58+
[Edge Installer Configuration Reference](../clusters/edge/edge-configuration/installer-reference.md#palette-agent-parameters).
59+
5360
#### Improvements
5461

5562
- Remote shell access to an Edge host can now be enabled in Palette only if the parameter

0 commit comments

Comments
 (0)