cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack
Date Thu, 21 Mar 2013 00:34:32 GMT
On Wed, Mar 20, 2013 at 11:26:50AM -0700, Vijayendra Bhamidipati wrote:
> Hi Chip, Prasanna,
> 
> Yes, the change is pretty straightforward, the reasoning is to make default password
encoding more secure because the SHA256salted authenticator recently added by Hugo salts the
passwords while the existing MD5 authenticator doesn't, and is the default. This change gives
the CS admin the flexibility to choose the ordering of the encoders/authenticators. No new
authenticator/encoder classes needed to be added, the existing ones are simply used better.
> 
> Upgrade scenarios were considered and these changes will have no effect on upgrades.
Only new users and updated users will have their passwords encoded by the first valid encoder
in the UserPasswordEncoder list. Existing users will still get authenticated as before since
authentication passes through all the authenticators available in the UserAuthenticator list
until one of them succeeds or all fail.
> 
> Regards,
> Vijay

Does everyone believe that this is a valid change for 4.1?  Or should we
wait for 4.2 or 4.1.1?

> 
> 
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com] 
> Sent: Wednesday, March 20, 2013 11:17 AM
> To: cloudstack-dev@incubator.apache.org
> Cc: Vijayendra Bhamidipati
> Subject: Re: Review Request: Make SHA256Salt the default password encoding and authentication
mechanism for cloudstack
> 
> On Wed, Mar 20, 2013 at 11:36:10PM +0530, prasanna wrote:
> > Is this a new feature or did I miss the discussion around this?
> 
> It seems to be a straight forward change, but what's the reasoning for this Venkata?
> 
> Are the upgrade scenarios considered here?
> 
> > 
> > On 20 March 2013 10:33, Venkata Siva Vijayendra Bhamidipati 
> > <vijayendra.bhamidipati@citrix.com> wrote:
> > >
> > > -----------------------------------------------------------
> > > This is an automatically generated e-mail. To reply, visit:
> > > https://reviews.apache.org/r/10039/
> > > -----------------------------------------------------------
> > >
> > > Review request for cloudstack and Kelven Yang.
> > >
> > >
> > > Description
> > > -------
> > >
> > > Changing default password encoding mechanism from MD5 to SHA256Salted.
> > >
> > >
> > > This addresses bug CS-1734.
> > >
> > >
> > > Diffs
> > > -----
> > >
> > >   api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java
89673ea
> > >   api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java fb29e1a
> > >   api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java 1f31662
> > >   client/tomcatconf/componentContext.xml.in 016df0a
> > >   client/tomcatconf/nonossComponentContext.xml.in 8f8dae5
> > >   developer/developer-prefill.sql 6300d35
> > >   plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthenticator.java
61eebe5
> > >   plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenticator.java
026125e
> > >   plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java
52e7cb3
> > >   plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java
1b29f69
> > >   server/src/com/cloud/server/ManagementServerImpl.java b689f93
> > >   server/src/com/cloud/user/AccountManagerImpl.java b69f314
> > >
> > > Diff: https://reviews.apache.org/r/10039/diff/
> > >
> > >
> > > Testing
> > > -------
> > >
> > > Manual testing done for both oss and nonoss components. Both admin and users
added later are encoded according to the scheme configured, and authenticated by the same
scheme.
> > >
> > > To change the order of the schemes, modify the following list properties in
client/tomcatconf/nonossComponentContext.xml.in or client/tomcatconf/componentContext.xml.in
as applicable, to the desired order:
> > >
> > >     <property name="UserAuthenticators">
> > >          <list>
> > >             <ref bean="SHA256SaltedUserAuthenticator"/>
> > >             <ref bean="MD5UserAuthenticator"/>
> > >             <ref bean="LDAPUserAuthenticator"/>
> > >             <ref bean="PlainTextUserAuthenticator"/>
> > >         </list>
> > >     </property>
> > >
> > >     <property name="UserPasswordEncoders">
> > >         <list>
> > >             <ref bean="SHA256SaltedUserAuthenticator"/>
> > >              <ref bean="MD5UserAuthenticator"/>
> > >              <ref bean="LDAPUserAuthenticator"/>
> > >             <ref bean="PlainTextUserAuthenticator"/>
> > >          </list>
> > >
> > >
> > > Thanks,
> > >
> > > Venkata Siva Vijayendra Bhamidipati
> > >
> > 
> 

Mime
View raw message