This is an automated email from the ASF dual-hosted git repository.
brile pushed a commit to branch 29.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/29.0.0 by this push:
new 38dfe9d1527 [backport] doc: druid-basic-sec doc update for caching
(#15997)
38dfe9d1527 is described below
commit 38dfe9d1527bcb0f46cebf9402ccceee00061e86
Author: 317brian <[email protected]>
AuthorDate: Wed Feb 28 10:10:12 2024 -0800
[backport] doc: druid-basic-sec doc update for caching (#15997)
Co-authored-by: Kashif Faraz <[email protected]>
---
docs/development/extensions-core/druid-basic-security.md | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/docs/development/extensions-core/druid-basic-security.md
b/docs/development/extensions-core/druid-basic-security.md
index d156c5a6b99..45b7d463f6f 100644
--- a/docs/development/extensions-core/druid-basic-security.md
+++ b/docs/development/extensions-core/druid-basic-security.md
@@ -165,13 +165,7 @@ Authorizer that requests should be directed to.<br />
##### Credential iterations and API performance
-As noted above, `credentialIterations` determines the number of iterations
used to hash a password. A higher number increases security, but costs more in
terms of CPU utilization.
-
-This cost affects API performance, including query times. The default setting
of 10000 is intentionally high to prevent attackers from using brute force to
guess passwords.
-
-You can decrease the number of iterations to speed up API response times, but
it may expose your system to dictionary attacks. Therefore, only reduce the
number of iterations if your environment fits one of the following conditions:
-- **All** passwords are long and random which make them as safe as a
randomly-generated token.
-- You have secured network access to Druid so that no attacker can execute a
dictionary attack against it.
+As noted above, the value of `credentialIterations` determines the number of
iterations used to hash a password. A higher number of iterations increases
security. The default value of 10,000 is intentionally high to prevent
attackers from using brute force to guess passwords. We recommend that you
don't lower this value. Druid caches the hash of up to 1000 passwords used in
the last hour to ensure that having a large number of iterations does not
meaningfully impact query performance.
If Druid uses the default credentials validator (i.e.,
`credentialsValidator.type=metadata`), changing the `credentialIterations`
value affects the number of hashing iterations only for users created after the
change or for users who subsequently update their passwords via the
`/druid-ext/basic-security/authentication/db/basic/users/{userName}/credentials`
endpoint. If Druid uses the `ldap` validator, the change applies to any user
at next log in (as well as to new users or users who upd [...]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
