Return-Path: X-Original-To: apmail-brooklyn-dev-archive@minotaur.apache.org Delivered-To: apmail-brooklyn-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1934511E24 for ; Fri, 8 Aug 2014 10:55:38 +0000 (UTC) Received: (qmail 6938 invoked by uid 500); 8 Aug 2014 10:55:37 -0000 Delivered-To: apmail-brooklyn-dev-archive@brooklyn.apache.org Received: (qmail 6905 invoked by uid 500); 8 Aug 2014 10:55:37 -0000 Mailing-List: contact dev-help@brooklyn.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@brooklyn.incubator.apache.org Delivered-To: mailing list dev@brooklyn.incubator.apache.org Received: (qmail 6894 invoked by uid 99); 8 Aug 2014 10:55:37 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 10:55:37 +0000 X-ASF-Spam-Status: No, hits=-2000.7 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 08 Aug 2014 10:55:39 +0000 Received: (qmail 5148 invoked by uid 99); 8 Aug 2014 10:55:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 10:55:13 +0000 Date: Fri, 8 Aug 2014 10:55:12 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: dev@brooklyn.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (BROOKLYN-15) web-console authentication: store hashed passwords in brooklyn.properties MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/BROOKLYN-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090620#comment-14090620 ] ASF GitHub Bot commented on BROOKLYN-15: ---------------------------------------- Github user sjcorbett commented on the pull request: https://github.com/apache/incubator-brooklyn/pull/112#issuecomment-51587601 Perhaps it's worth getting everyone else's opinions on a `--password` flag. @ahgittin, @grkvlt? > web-console authentication: store hashed passwords in brooklyn.properties > ------------------------------------------------------------------------- > > Key: BROOKLYN-15 > URL: https://issues.apache.org/jira/browse/BROOKLYN-15 > Project: Brooklyn > Issue Type: New Feature > Reporter: Aled Sage > Assignee: Aled Sage > > The brooklyn web-console can do user authentication - this can point at an enterprise LDAP server, or can use the quick-and-easy username:password defined in the ~/.brooklyn/brooklyn.properties file. > However, the passwords in brooklyn.properties are currently stored in plain text. Instead, it should be hashed (using the username as a salt). > I suggest we use SHA 256 for now. One can generate the password from the (linux / OSX) command line with: > echo -n aled:mypassword | shasum -a 256 > In our code, we can then use guava's Hashing with something like: > Hashing.sha256().hashBytes(Charsets.US_ASCII.encode("aled:mypassword").array()) > (but note that UTF_8 is appending an extra `0` to the bytes, so gives a different sha256! Is using US_ASCII going to be a bad idea?!) > The brooklyn.properties file could have: > brooklyn.webconsole.security.users=aled > brooklyn.webconsole.security.user.admin.sha256=0dfecb1ab5426c781ec42e1c7cc98468975aed0dd28f9d9668237a9c7996862d > > Much longer term, we could consider using https://shiro.apache.org/ or equivalent (but that is out of scope for this feature request). -- This message was sent by Atlassian JIRA (v6.2#6252)