cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: user credntials
Date Tue, 01 May 2012 04:35:19 GMT




On Apr 30, 2012, at 9:11 PM, Will Chan <will.chan@citrix.com> wrote:

> The parameter for password is simply just used to pass information from the client to
CS.  It's really up to the AuthenticatorAdapter to decide how it should use the parameter.
 Since by default, MD5 hashed password is being passed in, the default adapter is just doing
a simple comparison againt the DB.  If suddenly the admin wishes to use the LDAPAuthenticator,
he should require that the password to be in plain-text (assuming that is what is used to
compare against).  We don't need need two parameters for this.  You can also imagine someone
wanting SHA-256, etc. for their password encryption.  The only way I can think having two
separate parameters is if there is a use-case for using multiple adapters, each requiring
their own parameter but I really doubt this would ever be used.  It would mean two different
auth DB.
> 
> Will
> 
> ________________________________________
> 
So let me point out a practical example where this fails. Cumulus, the android client to CloudStack,
the login command to get a token and use session based auth initially. The endpoint could
be any CloudStack deployment, and the end user may not know whether or not the operator is
using native auth or an external service. They take in username and password from the user,
do they md5 the password or not? How can they tell what they should be passing? (same problem
with multiple parameters unless we accept all and only use one). And there are plenty of possible
apps that would behave in this manner. 

--David
Mime
View raw message