maytasm commented on a change in pull request #11590:
URL: https://github.com/apache/druid/pull/11590#discussion_r688294898
##########
File path: docs/development/extensions-core/druid-basic-security.md
##########
@@ -94,12 +94,19 @@ The remaining examples of authenticator configuration use
either `MyBasicMetadat
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer
that requests should be directed to|N/A|Yes|
##### Credential iterations and API performance
-The credential iterations setting affects API performance, including query
times. The default setting of 10000 is intentionally high to prevent attackers
from using brute force to guess passwords, but it adds latency.
-You can decrease the number of iterations to speed up API response times, but
it potentially exposes your system to dictionary attacks. Therefore, only
reduce the number of iterations if your environment fits one of the following
conditions:
+As noted above, `credentialIterations` determines the number of iterations
used to hash a password. A higher number increases security, but costs more in
terms of CPU utilization.
+
+This cost affects API performance, including query times. The default setting
of 10000 is intentionally high to prevent attackers from using brute force to
guess passwords.
+
+You can decrease the number of iterations to speed up API response times, but
it may expose your system to dictionary attacks. Therefore, only reduce the
number of iterations if your environment fits one of the following conditions:
- **All** passwords are long and random which make them as safe as a
randomly-generated token.
- You have secured network access to Druid so that no attacker can execute a
dictionary attack against it.
+
+It is important to note that changing the `credentialIterations` value only
affects the number of password hashing iterations of newly created users or
users who have updated their password via the
`/druid-ext/basic-security/authentication/db/basic/users/{userName}/credentials`
endpoint after you change the setting.
Review comment:
This is only true for `credentialsValidator.type=metadata`. If Druid
auth is using `credentialsValidator.type=ldap`, then Druid will automatically
use the new `credentialIterations` the next time user try to login (in addition
to when user update their password and when new user are created).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
