On Wed, Mar 20, 2013 at 11:26:50AM -0700, Vijayendra Bhamidipati wrote: > Hi Chip, Prasanna, > > Yes, the change is pretty straightforward, the reasoning is to make default > password encoding more secure because the SHA256salted authenticator recently > added by Hugo salts the passwords while the existing MD5 authenticator > doesn't, and is the default. This change gives the CS admin the flexibility > to choose the ordering of the encoders/authenticators. No new > authenticator/encoder classes needed to be added, the existing ones are > simply used better. > > Upgrade scenarios were considered and these changes will have no effect on > upgrades. Only new users and updated users will have their passwords encoded > by the first valid encoder in the UserPasswordEncoder list. Existing users > will still get authenticated as before since authentication passes through > all the authenticators available in the UserAuthenticator list until one of > them succeeds or all fail. > > Regards, > Vijay
Does everyone believe that this is a valid change for 4.1? Or should we wait for 4.2 or 4.1.1? > > > -----Original Message----- > From: Chip Childers [mailto:chip.child...@sungard.com] > Sent: Wednesday, March 20, 2013 11:17 AM > To: cloudstack-dev@incubator.apache.org > Cc: Vijayendra Bhamidipati > Subject: Re: Review Request: Make SHA256Salt the default password encoding > and authentication mechanism for cloudstack > > On Wed, Mar 20, 2013 at 11:36:10PM +0530, prasanna wrote: > > Is this a new feature or did I miss the discussion around this? > > It seems to be a straight forward change, but what's the reasoning for this > Venkata? > > Are the upgrade scenarios considered here? > > > > > On 20 March 2013 10:33, Venkata Siva Vijayendra Bhamidipati > > <vijayendra.bhamidip...@citrix.com> wrote: > > > > > > ----------------------------------------------------------- > > > This is an automatically generated e-mail. To reply, visit: > > > https://reviews.apache.org/r/10039/ > > > ----------------------------------------------------------- > > > > > > Review request for cloudstack and Kelven Yang. > > > > > > > > > Description > > > ------- > > > > > > Changing default password encoding mechanism from MD5 to SHA256Salted. > > > > > > > > > This addresses bug CS-1734. > > > > > > > > > Diffs > > > ----- > > > > > > > > > api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java > > > 89673ea > > > api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java > > > fb29e1a > > > api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java > > > 1f31662 > > > client/tomcatconf/componentContext.xml.in 016df0a > > > client/tomcatconf/nonossComponentContext.xml.in 8f8dae5 > > > developer/developer-prefill.sql 6300d35 > > > > > > plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthenticator.java > > > 61eebe5 > > > > > > plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenticator.java > > > 026125e > > > > > > plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java > > > 52e7cb3 > > > > > > plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java > > > 1b29f69 > > > server/src/com/cloud/server/ManagementServerImpl.java b689f93 > > > server/src/com/cloud/user/AccountManagerImpl.java b69f314 > > > > > > Diff: https://reviews.apache.org/r/10039/diff/ > > > > > > > > > Testing > > > ------- > > > > > > Manual testing done for both oss and nonoss components. Both admin and > > > users added later are encoded according to the scheme configured, and > > > authenticated by the same scheme. > > > > > > To change the order of the schemes, modify the following list properties > > > in client/tomcatconf/nonossComponentContext.xml.in or > > > client/tomcatconf/componentContext.xml.in as applicable, to the desired > > > order: > > > > > > <property name="UserAuthenticators"> > > > <list> > > > <ref bean="SHA256SaltedUserAuthenticator"/> > > > <ref bean="MD5UserAuthenticator"/> > > > <ref bean="LDAPUserAuthenticator"/> > > > <ref bean="PlainTextUserAuthenticator"/> > > > </list> > > > </property> > > > > > > <property name="UserPasswordEncoders"> > > > <list> > > > <ref bean="SHA256SaltedUserAuthenticator"/> > > > <ref bean="MD5UserAuthenticator"/> > > > <ref bean="LDAPUserAuthenticator"/> > > > <ref bean="PlainTextUserAuthenticator"/> > > > </list> > > > > > > > > > Thanks, > > > > > > Venkata Siva Vijayendra Bhamidipati > > > > > >