cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkata Siva Vijayendra Bhamidipati" <vijayendra.bhamidip...@citrix.com>
Subject Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack
Date Mon, 01 Apr 2013 18:10:48 GMT


> On March 29, 2013, 5:22 p.m., Min Chen wrote:
> > api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java, line
66
> > <https://reviews.apache.org/r/10039/diff/1/?file=272336#file272336line66>
> >
> >     If password is default hashed to SHA256SALT, then it should not be clear text
password. This description is contradictory to me.

Hi Min, this is the password that needs to be sent in by the client - it will need to be the
clear text password itself -  even if plaintext authentication is being used and the password
passed in is itself is a hash, technically it would still be a clear text password that matches
the password stored in the db. That is what is reflected in the description above.. The sha
encoding kicks in only on the server side. If the cleartext is to be protected, SSL via HTTPS
would serve that purpose.


> On March 29, 2013, 5:22 p.m., Min Chen wrote:
> > developer/developer-prefill.sql, line 39
> > <https://reviews.apache.org/r/10039/diff/1/?file=272341#file272341line39>
> >
> >     Should this password be encoded using SHA if that is the default way? The pre-filled
one is still MD5.

If the admin user is created as enabled, the mgmt server will leave the password as is and
not change it. However, if created as disabled, the mgmt server code, when creating the admin
user, will replace the password for the admin user as hash("password") where the hash function
is the default function configured.


- Venkata Siva Vijayendra


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/10039/#review18519
-----------------------------------------------------------


On March 28, 2013, 8:26 p.m., Venkata Siva Vijayendra Bhamidipati wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/10039/
> -----------------------------------------------------------
> 
> (Updated March 28, 2013, 8:26 p.m.)
> 
> 
> Review request for cloudstack, Hugo Trippaers, Kelven Yang, and Min Chen.
> 
> 
> Description
> -------
> 
> Changing default password encoding mechanism from MD5 to SHA256Salted.
> 
> 
> This addresses bug CS-1734.
> 
> 
> Diffs
> -----
> 
>   api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java 89673ea

>   api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java fb29e1a 
>   api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java 1f31662 
>   client/tomcatconf/componentContext.xml.in 016df0a 
>   client/tomcatconf/nonossComponentContext.xml.in 8f8dae5 
>   developer/developer-prefill.sql 6300d35 
>   plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthenticator.java
61eebe5 
>   plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenticator.java
026125e 
>   plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java
52e7cb3 
>   plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java
1b29f69 
>   server/src/com/cloud/server/ManagementServerImpl.java b689f93 
>   server/src/com/cloud/user/AccountManagerImpl.java b69f314 
> 
> Diff: https://reviews.apache.org/r/10039/diff/
> 
> 
> Testing
> -------
> 
> Manual testing done for both oss and nonoss components. Both admin and users added later
are encoded according to the scheme configured, and authenticated by the same scheme.
> 
> To change the order of the schemes, modify the following list properties in client/tomcatconf/nonossComponentContext.xml.in
or client/tomcatconf/componentContext.xml.in as applicable, to the desired order:
> 
>     <property name="UserAuthenticators">
>          <list>
>             <ref bean="SHA256SaltedUserAuthenticator"/>
>             <ref bean="MD5UserAuthenticator"/>
>             <ref bean="LDAPUserAuthenticator"/>
>             <ref bean="PlainTextUserAuthenticator"/>
>         </list>
>     </property>
> 
>     <property name="UserPasswordEncoders">
>         <list>
>             <ref bean="SHA256SaltedUserAuthenticator"/>
>              <ref bean="MD5UserAuthenticator"/>
>              <ref bean="LDAPUserAuthenticator"/>
>             <ref bean="PlainTextUserAuthenticator"/>
>          </list>
> 
> 
> Thanks,
> 
> Venkata Siva Vijayendra Bhamidipati
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message