brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aled Sage <aled.s...@gmail.com>
Subject Re: web-console security: use hashed passwords in brooklyn.properties
Date Thu, 14 Aug 2014 10:57:18 GMT
Hi all,

Brooklyn master now checks if ~/.brooklyn/brooklyn.properties (or 
whatever you override it with on the launch command line) has 
permissions like 600 (or 700 or 400). Brooklyn will fail to start 
otherwise, giving a nice error to tell you why.

Note that we won't check these permissions on Windows currently. You'll 
get a log.debug telling you that we couldn't check.

Aled


On 11/08/2014 12:11, Alasdair Hodge wrote:
> Enthusiastic "yay!" for hashed, salted passwords :o)
>
> Also +1 to enforcing tighter access control for the properties file at 
> runtime. Will require a Windows equivalent, of course, but checking 
> for *00 flags on posix systems is a great start. I expect we want 
> "strict" behaviour only in the launcher, and that unit tests, etc, 
> don't need to care?
>
> As for the --stdin thing for generate-password, I must admit I'm 
> sympathetic to the "don't do that" argument in the links you posted. 
> If stream hacks are required only to test the generator then it's 
> probably no biggie, but making recommendations to end-users that go 
> against the grain of established unix security best practices gives me 
> pause.
>
> A.


Mime
View raw message