[
https://issues.apache.org/jira/browse/BROOKLYN-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090778#comment-14090778
]
ASF GitHub Bot commented on BROOKLYN-15:
----------------------------------------
Github user sjcorbett commented on a diff in the pull request:
https://github.com/apache/incubator-brooklyn/pull/112#discussion_r15993881
--- Diff: usage/cli/src/main/java/brooklyn/cli/Main.java ---
@@ -200,6 +205,76 @@ public Void call() throws Exception {
}
}
+ @Command(name = "generate-password", description = "Generates a hashed
web-console password")
+ public static class GeneratePasswordCommand extends
BrooklynCommandCollectingArgs {
+
+ @Option(name = { "--user" }, title = "username", required = true)
+ public String user;
+
+ @Option(name = { "--stdin" }, title = "read password from stdin,
instead of console",
+ description = "Before using stdin, read
http://stackoverflow.com/a/715681/1393883 for discussion of security!")
+ public boolean useStdin;
+
+ @Override
+ public Void call() throws Exception {
+ checkCanReadPassword();
+
+ System.out.print("Enter password: ");
+ System.out.flush();
+ String password = readPassword();
+ if (Strings.isBlank(password)) {
+ throw new UserFacingException("Password must not be blank;
aborting");
+ }
+
+ System.out.print("Re-enter password: ");
+ System.out.flush();
+ String password2 = readPassword();
+ if (!password.equals(password2)) {
+ throw new UserFacingException("Passwords did not match;
aborting");
+ }
+
+ String salt = Identifiers.makeRandomId(4);
+ String sha256password = PasswordHasher.sha256(salt, new
String(password));
+
+ System.out.println();
+ System.out.println("Please add the following to your
brooklyn.properies:");
--- End diff --
Typo: properies
> web-console authentication: store hashed passwords in brooklyn.properties
> -------------------------------------------------------------------------
>
> Key: BROOKLYN-15
> URL: https://issues.apache.org/jira/browse/BROOKLYN-15
> Project: Brooklyn
> Issue Type: New Feature
> Reporter: Aled Sage
> Assignee: Aled Sage
>
> The brooklyn web-console can do user authentication - this can point at an
> enterprise LDAP server, or can use the quick-and-easy username:password
> defined in the ~/.brooklyn/brooklyn.properties file.
> However, the passwords in brooklyn.properties are currently stored in plain
> text. Instead, it should be hashed (using the username as a salt).
> I suggest we use SHA 256 for now. One can generate the password from the
> (linux / OSX) command line with:
> echo -n aled:mypassword | shasum -a 256
> In our code, we can then use guava's Hashing with something like:
>
> Hashing.sha256().hashBytes(Charsets.US_ASCII.encode("aled:mypassword").array())
> (but note that UTF_8 is appending an extra `0` to the bytes, so gives a
> different sha256! Is using US_ASCII going to be a bad idea?!)
> The brooklyn.properties file could have:
> brooklyn.webconsole.security.users=aled
>
> brooklyn.webconsole.security.user.admin.sha256=0dfecb1ab5426c781ec42e1c7cc98468975aed0dd28f9d9668237a9c7996862d
>
> Much longer term, we could consider using https://shiro.apache.org/ or
> equivalent (but that is out of scope for this feature request).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
