bzp2010 commented on a change in pull request #2010:
URL: https://github.com/apache/apisix-dashboard/pull/2010#discussion_r680668446
##########
File path: api/test/docker/manager-api-conf.yaml
##########
@@ -36,7 +36,9 @@ authentication:
# if it's default value, when `manager api`
start, it will generate a random string to replace it.
expire_time: 3600 # jwt token expire time, in second
users: # yamllint enable rule:comments-indentation
- - username: admin # username and password for login `manager api`
- password: admin
- - username: user
- password: user
+ - type: local
+ username: admin # username and password for login `manager api`
+ password: $2a$10$NjjlIhuj4O6foZhWw96H0uXZQl0na8qg.BSbf/ASwurchFhUW0fzC
Review comment:
Hi, @starsz.
Because the configuration files themselves are stored locally, rather than
other centralized configuration management software such as etcd, these
configuration files are scattered in the file systems of different machines,
which are easy to leak and cause harm.
Using a simple bcrypt hash algorithm with time cost to process the password
can ensure that even if the configuration file is illegally obtained, the
password text will not be leaked.
If you think this part of the function is unnecessary, I can modify it back.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
