Hi all,
We've just fixed "web-console authentication: store hashed passwords in
brooklyn.properties" [1,2].
Instead of storing web-console passwords in plain text in
brooklyn.properties (!), you can now run a command like:
brooklyn generate-password --user admin
which will prompt for a password, and will generate output like:
Please add the following to your brooklyn.properies:
brooklyn.webconsole.security.users=admin
brooklyn.webconsole.security.user.admin.salt=OHDf
brooklyn.webconsole.security.user.admin.sha256=91e16f94509fa8e3dd21c43d69cadfd7da6e7384051b18f168390fe378bb36f9
We strongly recommend that folk do this, and remove the plain text
passwords from brooklyn.properties.
---
We also strongly recommend ensuring brooklyn.properties has permissions
600 (i.e. read-write only by user).
Next up is adding a check that brooklyn.properties has these
permissions. If it doesn't, brooklyn will fail to start.
Any comments on that?
---
Lastly and controversially, I've included support for `brooklyn
generate-password --user admin --stdin`.
Without the `--stdin`, it will fail if there is no console. This is the
same behaviour as unix `passwd`.
There is a brilliant discussion at [3,4]. I love the quote "we get
hordes of users asking how they can circumvent 35 years of Unix
security". The `--stdin` is one approach for doing that.
It's also been suggested that we could add support for `--password` to
supply the password at the command line. I'm against that because it
would show up in `ps`, visible to all other users on the machine.
Aled
[1] https://issues.apache.org/jira/browse/BROOKLYN-15
[2] https://github.com/apache/incubator-brooklyn/pull/112
[3] http://stackoverflow.com/a/715681/1393883
[4] http://mywiki.wooledge.org/BashFAQ/078
