brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-15) web-console authentication: store hashed passwords in brooklyn.properties
Date Fri, 08 Aug 2014 10:21:13 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090590#comment-14090590
] 

ASF GitHub Bot commented on BROOKLYN-15:
----------------------------------------

Github user sjcorbett commented on a diff in the pull request:

    https://github.com/apache/incubator-brooklyn/pull/112#discussion_r15986181
  
    --- Diff: usage/cli/src/main/java/brooklyn/cli/Main.java ---
    @@ -200,6 +203,57 @@ public Void call() throws Exception {
             }
         }
     
    +    @Command(name = "generate-password", description = "Generates a hashed web-console
password")
    +    public static class GeneratePasswordCommand extends BrooklynCommandCollectingArgs
{
    +
    +        @Option(name = { "--user" }, title = "username", required = true)
    +        public String user;
    +
    +        @Override
    +        public Void call() throws Exception {
    +            System.out.println(BANNER);
    +            System.out.println("Version:  " + BrooklynVersion.get());
    +            System.out.println("Website:  http://brooklyn.incubator.apache.org");
    +            System.out.println("Source:   https://github.com/apache/incubator-brooklyn");
    +            System.out.println();
    +            System.out.println("Copyright 2011-2014 The Apache Software Foundation.");
    +            System.out.println("Licensed under the Apache 2.0 License");
    +            System.out.println();
    +            
    +            Console console = System.console();
    +            if (console == null) {
    +                System.err.println("No console; cannot get password securely from standard
input; aborting");
    +            }
    +            System.out.print("Enter password: ");
    +            System.out.flush();
    +            char[] chars = console.readPassword();
    +            if (Strings.isBlank(new String(chars))) {
    +                System.err.println("Password must not be blank; aborting");
    +                return null;
    +            }
    +            
    +            System.out.print("Re-enter password: ");
    +            System.out.flush();
    +            char[] chars2 = console.readPassword();
    +            if (!Arrays.equals(chars, chars2)) {
    +                System.err.println("Passwords did not match; aborting");
    +                return null;
    +            }
    +
    +            String salt = Identifiers.makeRandomId(4);
    +            String sha256password = PasswordHasher.sha256(salt, new String(chars));
    +            
    +            System.out.println();
    +            System.out.println("Please enter the following into your brooklyn.properies:");
    --- End diff --
    
    Also, properties is misspelt.


> web-console authentication: store hashed passwords in brooklyn.properties
> -------------------------------------------------------------------------
>
>                 Key: BROOKLYN-15
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-15
>             Project: Brooklyn
>          Issue Type: New Feature
>            Reporter: Aled Sage
>            Assignee: Aled Sage
>
> The brooklyn web-console can do user authentication - this can point at an enterprise
LDAP server, or can use the quick-and-easy username:password defined in the ~/.brooklyn/brooklyn.properties
file.
> However, the passwords in brooklyn.properties are currently stored in plain text. Instead,
it should be hashed (using the username as a salt).
> I suggest we use SHA 256 for now. One can generate the password from the (linux / OSX)
command line with:
>     echo -n aled:mypassword | shasum -a 256
> In our code, we can then use guava's Hashing with something like:
>     Hashing.sha256().hashBytes(Charsets.US_ASCII.encode("aled:mypassword").array())
> (but note that UTF_8 is appending an extra `0` to the bytes, so gives a different sha256!
Is using US_ASCII going to be a bad idea?!)
> The brooklyn.properties file could have:
>     brooklyn.webconsole.security.users=aled
>     brooklyn.webconsole.security.user.admin.sha256=0dfecb1ab5426c781ec42e1c7cc98468975aed0dd28f9d9668237a9c7996862d
>     
> Much longer term, we could consider using https://shiro.apache.org/ or equivalent (but
that is out of scope for this feature request).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message