Return-Path: X-Original-To: apmail-brooklyn-dev-archive@minotaur.apache.org Delivered-To: apmail-brooklyn-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 65DCD11377 for ; Fri, 8 Aug 2014 14:02:34 +0000 (UTC) Received: (qmail 88988 invoked by uid 500); 8 Aug 2014 14:02:34 -0000 Delivered-To: apmail-brooklyn-dev-archive@brooklyn.apache.org Received: (qmail 88954 invoked by uid 500); 8 Aug 2014 14:02:34 -0000 Mailing-List: contact dev-help@brooklyn.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@brooklyn.incubator.apache.org Delivered-To: mailing list dev@brooklyn.incubator.apache.org Received: (qmail 88942 invoked by uid 99); 8 Aug 2014 14:02:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 14:02:34 +0000 X-ASF-Spam-Status: No, hits=-2000.7 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 08 Aug 2014 14:02:32 +0000 Received: (qmail 88674 invoked by uid 99); 8 Aug 2014 14:02:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 14:02:12 +0000 Date: Fri, 8 Aug 2014 14:02:12 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: dev@brooklyn.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (BROOKLYN-15) web-console authentication: store hashed passwords in brooklyn.properties MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/BROOKLYN-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090779#comment-14090779 ] ASF GitHub Bot commented on BROOKLYN-15: ---------------------------------------- Github user sjcorbett commented on a diff in the pull request: https://github.com/apache/incubator-brooklyn/pull/112#discussion_r15993884 --- Diff: docs/use/guide/management/index.md --- @@ -175,11 +175,33 @@ This configuration could look like: {% highlight properties %} brooklyn.webconsole.security.users=admin -brooklyn.webconsole.security.user.admin.password=password +brooklyn.webconsole.security.user.admin.salt=OHDf +brooklyn.webconsole.security.user.admin.sha256=91e16f94509fa8e3dd21c43d69cadfd7da6e7384051b18f168390fe378bb36f9 {% endhighlight %} The `users` line should contain a comma-separated list. The special value `*` is accepted to permit all users. +To generate this, the brooklyn CLI can be used: +{% highlight bash %} +brooklyn generate-password --user admin + +Enter password: +Re-enter password: + +Please enter the following into your brooklyn.properies: --- End diff -- Message doesn't match real output. > web-console authentication: store hashed passwords in brooklyn.properties > ------------------------------------------------------------------------- > > Key: BROOKLYN-15 > URL: https://issues.apache.org/jira/browse/BROOKLYN-15 > Project: Brooklyn > Issue Type: New Feature > Reporter: Aled Sage > Assignee: Aled Sage > > The brooklyn web-console can do user authentication - this can point at an enterprise LDAP server, or can use the quick-and-easy username:password defined in the ~/.brooklyn/brooklyn.properties file. > However, the passwords in brooklyn.properties are currently stored in plain text. Instead, it should be hashed (using the username as a salt). > I suggest we use SHA 256 for now. One can generate the password from the (linux / OSX) command line with: > echo -n aled:mypassword | shasum -a 256 > In our code, we can then use guava's Hashing with something like: > Hashing.sha256().hashBytes(Charsets.US_ASCII.encode("aled:mypassword").array()) > (but note that UTF_8 is appending an extra `0` to the bytes, so gives a different sha256! Is using US_ASCII going to be a bad idea?!) > The brooklyn.properties file could have: > brooklyn.webconsole.security.users=aled > brooklyn.webconsole.security.user.admin.sha256=0dfecb1ab5426c781ec42e1c7cc98468975aed0dd28f9d9668237a9c7996862d > > Much longer term, we could consider using https://shiro.apache.org/ or equivalent (but that is out of scope for this feature request). -- This message was sent by Atlassian JIRA (v6.2#6252)