Created attachment 1454518 [details] Login screen Description of problem: Text boxes to enter the Web admin UI credentials are much longer than necessary. Screen shot it attached. While it's not causing any functional issue, it does reflect negatively on the design. Version-Release number of selected component (if applicable): 3.4 (Sandbox environment) How reproducible: Always Steps to Reproduce: 1. Open the web admin UI and check the login screen credentials text boxes. 2. 3. Actual results: Expected results: Additional info:
Neha, as discussed, please verify the text box sizes with the standard patternfly design and update
@julim I am not able to find any recommendation for text box sizes on the patternfly library documentation (http://www.patternfly.org/pattern-library/forms-and-controls/data-input/#text-entry). Can you please suggest what should be the text box size here on login page.
@negupta Ack that PF does not provide recommendation for text box sizes and would not need to. This should be dictated by the underlying application itself. Per @shtripat, the tendrl-api modules supports minimum: 4 and maximum: 100 characters for the username in Tendrl. This does seem unusually high. Linux username limit is 32 characters while Active Directory. LDAP by itself doesn't place any restriction on the username, especially as LDAP doesn't really specify which attribute qualifies as the username. The DN is similarly unencumbered. However, on Active Directory, the sAMAccountName attribute only supports 20 characters. The general best practice is that usernames should be short, and if I had to recommend anything, I'd be inclined to follow the Linux 32 characters limit (vs. 100 that is et currently in Tendrl). What level of UI validations do we do around the user, e.g. user creation or modification? Having stated this, the text box size should be aligned with whatever our max is. If it's 100, then indeed our text box looks to be as wide as what Tendrl is supporting. I would not want the UI to size the text box smaller to what is currently supported in Tendrl without changing the backend to ensure full support all the way through. IMHO, it should be a 32 char limit. apaladug & @smukherj - Thoughts?
Based on further discussions, decided to restrict the max username limit to 20 characters(we might support AD at some point in future) @neha, @shirshendu please make the appropriate changes
@julim Do we need to restrict max limit for login password too?
Created attachment 1456486 [details] modified login view
@julim Does the above attached screenshot for modified login view looks good w.r.t to length of the text boxes and error message?
(In reply to Nishanth Thomas from comment #5) > Based on further discussions, decided to restrict the max username limit to > 20 characters(we might support AD at some point in future) Based on this, QE will verify that: * the text fields are smaller compared to the previous version * the max len of username is 20 characters * the max size of password is not limited to 20 characters
@negupta The screenshot mentioned in Comment 7 (https://bugzilla.redhat.com/show_bug.cgi?id=1594994#c7) - showing the modified login view looks good, though I have some concerns with the error message. Specifically, for error messages you're suggesting might be appropriate when you're creating / modifying a username. However, since this is a login screen and there are security implications, we don't want tell users that the username is less then 20 characters long (to make it easier for someone to hack). Instead, we would say "The username or password you entered is incorrect." As to the max password length: For AD, it's 255 chars. On linux, it depends on the crypt() algorithm used: * modified DES: 8 ASCII characters * MD5: Unlimited length * Blowfish: 56 bytes * NT Hash: Please don't use this one * SHA256/512: Unlimited length I believe the general best practice is length should be greater than 8 and less than 128 chars.
As per this comment https://bugzilla.redhat.com/show_bug.cgi?id=1594994#c12, the minimum password length should be minimum 9. Hence, modifying the minimum password length check from 8 to 9 on users add and edit views.
Changes done - - User name minimum length should be 4 and maximum 20 characters. Implemented on both login and users views. - Password minimum length should be 9 and maximum 128 characters. Implemented on both login and users views. - Reduced the text box size for username and password on login screen.
Created attachment 1464932 [details] Add User: user ID too short error
Created attachment 1464933 [details] Add User: user ID too long error
@Neha, why is the error for too short and too long User ID on Add User form so different? It looks quite inconsistently. See attachment 1464932 [details] and attachment 1464933 [details] Also when we reduced the text box size for username and password on login screen, wouldn't be better to reduce also the size of those fields on the Add User page?
Also on the Login page, the size of the Username and Password fields were limited, but the length of the inserted text not - wouldn't be worth to set also the "maxlength" attribute of the input element? (or something similar)
@dahorak The reason for not using "maxlength" is that it restricts the user from entering any more characters beyond the max limit without showing any error message which I feel is not a good user experience. Hence, I have used "ng-maxlength" attribute which will give error message,once user clicks the login button in case it exceeds the max length mentioned. I agree with your point of difference in behaviors for max and min user/password error message. I will do the required changes as per the patternfly recommendation(https://www.patternfly.org/pattern-library/application-framework/login-page/#client-side-errors) for error messages on login view. @dahorak For reducing the text box size for username and password on user's page, please create a separate issue for it.
(In reply to Neha Gupta from comment #20) > I agree with your point of difference in behaviors for max and min > user/password error message. I will do the required changes as per the > patternfly > recommendation(https://www.patternfly.org/pattern-library/application- > framework/login-page/#client-side-errors) for error messages on login view. Based on that moving back to ASSIGNED.
Created attachment 1471714 [details] Login page screen - the error message is wrapped even when the page is wide
I have two additional points here: * checking for the username/password length on the login page even before the credentials are submitted is slightly strange behaviour (from my point of view, but I'm ok with that if that is the decision) - but the returned error should be the same as for incorrect credentials which fits into the length requirements: - if the username or password is short, the error is this: The username or password you entered is incorrect. - but if the username and password is long enough, the error looks like this: The username or password you entered does not match our records. Please try again. * secondly, the error message is sometime strangely wrapped, even if the page is quite wide (see attachment 1471714 [details]) - simply try to change the browser width when some of the error messages is displayed
There is another issue closely related to this bug: Bug 1610266
@dahorak The UI is not checking the username and password before clicking the "Submit" button, its just validating(checking max and min length) it. As per the Ju's comment at https://bugzilla.redhat.com/show_bug.cgi?id=1594994#c12, because of the security implications the validation error message looks like this. @julim what is your suggestion on this? Should we make both error messages same?
Neha and Ju, what is the reason for checking min and max length of the username an password on the login page? From my point of view, it doesn't add any additional security and moreover it make bugs like bug 1610266 much more severe, because it might lead to situation when user is not able to log in.
(In reply to Daniel Horák from comment #26) > Neha and Ju, what is the reason for checking min and max length of the > username an password on the login page? QE team is not going to validate this bug with such unsolicited, not approved change. We clearly indicated what needs to change here in comment 9 and there is no note about checking minimal length of anything. Moreover as Daniel noted, this combined with other factors creates new regressions such as BZ 1610266.
I have created separate bug to track changes done here, which are not part of this bug: BZ 1610913
As per the discussion with Nishanth, Martin and Daniel, there is no need to validate the username and password length on login view. Hence, I am reverting these validations from login view.
Adding the ack again, QE team will verity this as described in the comment 9, stressing out that *nothing else* has been changed here (especially there should be no minimal password lenght check).
Text boxes for Web admin UI credentials are of normal size now. There is no password length check during login.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2616