brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aled Sage (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-15) web-console authentication: store hashed passwords in brooklyn.properties
Date Thu, 07 Aug 2014 13:36:11 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14089211#comment-14089211
] 

Aled Sage commented on BROOKLYN-15:
-----------------------------------

To summarise conversation on dev@brooklyn.incubator.apache.org

Best practice is always to have brooklyn.properties as permissions 600.

Therefore no-one can read this to find the username to create a rainbow table.
The salt needs to be stored somewhere - e.g. as the first two characters of the user's password
in the /etc/shadow when using a shadow passwords file.
Therefore the salt of "aled:" is a reasonable salt, but could certainly be improved.

---
Given the problems of choosing the best character encoding, we probably want a Brooklyn utility
to generate the passwords so that we *always* use the same character encoding.

We could support:
    brooklyn generate-password aled

Which could then output the text one would paste into the brooklyn.properties.
    brooklyn.webconsole.security.users=aled
    brooklyn.webconsole.security.user.aled.salt=FWd
    brooklyn.webconsole.security.user.aled.sha256=0dfecb1...

The `brooklyn generate-password` could also complain if the permissions on brooklyn.properties
were not 600.

---
Note the addition of the `.salt=...`, which means we can generate a random salt.

---
If moving to apache shiro, we could see whether this file format is consistent enough with
that approach.
And if it's not, then we'd deprecate these brooklyn.properties options and delete them after
two releases.

> web-console authentication: store hashed passwords in brooklyn.properties
> -------------------------------------------------------------------------
>
>                 Key: BROOKLYN-15
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-15
>             Project: Brooklyn
>          Issue Type: New Feature
>            Reporter: Aled Sage
>
> The brooklyn web-console can do user authentication - this can point at an enterprise
LDAP server, or can use the quick-and-easy username:password defined in the ~/.brooklyn/brooklyn.properties
file.
> However, the passwords in brooklyn.properties are currently stored in plain text. Instead,
it should be hashed (using the username as a salt).
> I suggest we use SHA 256 for now. One can generate the password from the (linux / OSX)
command line with:
>     echo -n aled:mypassword | shasum -a 256
> In our code, we can then use guava's Hashing with something like:
>     Hashing.sha256().hashBytes(Charsets.US_ASCII.encode("aled:mypassword").array())
> (but note that UTF_8 is appending an extra `0` to the bytes, so gives a different sha256!
Is using US_ASCII going to be a bad idea?!)
> The brooklyn.properties file could have:
>     brooklyn.webconsole.security.users=aled
>     brooklyn.webconsole.security.user.admin.sha256=0dfecb1ab5426c781ec42e1c7cc98468975aed0dd28f9d9668237a9c7996862d
>     
> Much longer term, we could consider using https://shiro.apache.org/ or equivalent (but
that is out of scope for this feature request).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message