brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <rich...@apache.org>
Subject Re: Password hash changes
Date Thu, 25 Jun 2015 14:42:27 GMT
To chip in with my own opinion - Brooklyn is in beta, and I believe that
password hashes did not exist in our last GA release of 0.6.0. Therefore a
user going from 0.6.0 GA to 0.7.0 GA would not notice the issue. Only
someone who had been using the 0.7.0-M1/M2 or -SNAPSHOT builds would be
affected. Could we take no further action (other than the release notes,
since they're easy) and still be in compliance with our own code
deprecation policy?

Richard.


On Thu, 25 Jun 2015 at 15:39 Richard Downer <richard@apache.org> wrote:

> All, but in particular @alasdairhodge, @grkvlt and @ahgittin:
>
> PR #687 "Tweak PasswordHasher to avoid potentially misleading use of
> ByteBuffer.array()" has an unresolved discussion around this potential
> break in backwards compatibility.
>
> This question is blocking the release, so we should come up with an answer.
>
> The issue is a recent change in the password hashing algorithm. Password
> hashes from before and after the change are not compatible, so users with
> hashed passwords in their brooklyn.properties must regenerate them.
>
> The options are:
>
> 1 - document in the release notes that users must regenerate their
> password hashes.
> 2 - change the code to try both old and new variants of the algorithm.
> Warn the user they need to update.
> 3 - supply an upgrade tool (haven't checked if this is feasible)
>
> What are people's opinions?
>
> Richard.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message