I also want to point out that this is simply the default behavior for a brand new CS install and as Chiradeep pointed out, it only applies to the session-based login that requires a username/password.
We should not be changing this behavior by default on an upgrade because some people may just use this as-is with zero modification. If there are CS admins that want to change this behavior, they would have had to do one or more of the following: - Create their own custom Auth adapter - Modification of components.xml to configure this - Perhaps customizing the UI to pass in the password whether hashed or not. For the people that have gone about this way, after a CS update, there should be no need to change anything other than perhaps the UI as their existing adapter and components XML should refer to their customer adapters. Will -----Original Message----- From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] Sent: Monday, April 30, 2012 10:06 AM To: cloudstack-dev@incubator.apache.org Subject: Re: user credntials Just wanted to point out this only affects the session-based logins via the GUI (although one can script this kind of API interaction as well). API-key-based authentication continues as before. On 4/30/12 9:15 AM, "Abhinandan Prateek" <abhinandan.prat...@citrix.com> wrote: >The deprecation of MD5 can be done in a graceful fashion with the >following scheme: > >We add a Authenticator which can take plaintext password and add it >after the MD5 authenticator. Anyone who is already using the MD5 >password in API will continue to function as they are now. >Anyone upgrading is not affected. > >Any new integrator/cloudstack user can start using plaintext password >in API without issues, as there is a plaintext authenticator in the chain. >Again the use of SSL ensures channel security and keeps the password >safe as is done by countless other websites taking plaintext passwords >from the users. > >With plaintext passwords cloudstack can now seamlessly work with >external authentication systems as well. With this we do not need a new >parameter too, probably a warning in the logs saying that this is >going to be deprecated soon. > >-Abhi > >-----Original Message----- >From: Kevin Kluge [mailto:kevin.kl...@citrix.com] >Sent: Monday, April 30, 2012 9:30 PM >To: Will Chan; cloudstack-dev@incubator.apache.org >Subject: RE: user credntials > >This means the client has to figure out whether to send MD5 hash or >cleartext on a per-cloud basis. That seems unreasonable. > >Why don't we just send plain text passwords and expect the use of SSL? >We'd have to add a new parameter and deprecate the current MD5 hash >password. > >-kevin > >> -----Original Message----- >> From: Will Chan >> Sent: Saturday, April 28, 2012 4:39 PM >> To: cloudstack-dev@incubator.apache.org; Kevin Kluge >> Subject: RE: user credntials >> >> The service provider (or whomever is hosting CloudStack) needs to >> make that decision. Using the default CS installation, we default to >> the MD5UserAuthenticator which requires passwords passed to the login >> command to be MD5 hashed. This got changed to plain-text in 3.0 and >> must be reverted back to MD5 in 3.0.2 when the upgrade patch is >> released or anyone upgrading could get affected. >> >> If the service/hosting provider wants to use a different hashing >> algorithm - >> OR- none, he can create or configure CS to use that adapter. >> However, they are responsible for informing their customer. >> >> Will >> >> ________________________________________ >> From: Abhinandan Prateek [abhinandan.prat...@citrix.com] >> Sent: Saturday, April 28, 2012 3:28 PM >> To: Kevin Kluge; cloudstack-dev@incubator.apache.org >> Subject: RE: user credntials >> >> The use of plaintext passwords in API is required for only those >> cloudstack users who wish to use an external authentication mechanism >> and will be documented. >> The support for the encoded password has to be kept as is due to >> existing users of cloudstack. >> >> >> -----Original Message----- >> From: Kevin Kluge >> Sent: Sunday, April 29, 2012 1:09 AM >> To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org >> Subject: RE: user credntials >> >> How would an API client know to use cleartext or MD5 hash? >> >> >> > -----Original Message----- >> > From: Abhinandan Prateek >> > Sent: Saturday, April 28, 2012 7:56 AM >> > To: Kevin Kluge; cloudstack-dev@incubator.apache.org >> > Subject: RE: user credntials >> > >> > In 2.2.* we were passing MD5 encoded password via UI. For Acton it >> > changed to unencrypted password as that was the only way to have >> > external systems to authenticate cloudstack users for example >> > external >> LDAP. >> > This is being reverted back to MD5 encoded password in 3.0.2 as it >> > was. It will be left to the admin to configure this encryption >> > mechanism in case LDAP is in use. >> > >> > -Abhi >> > >> > -----Original Message----- >> > From: Kevin Kluge >> > Sent: Saturday, April 28, 2012 8:16 PM >> > To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org >> > Subject: RE: user credntials >> > >> > Abhi, is this a backwards incompatible API change? Also, what does >>it >> mean >> > for upgrade? >> > >> > I thought we always sent MD5 hashed passwords from UI to MS. Can >> > you explain the change a bit more? >> > >> > -kevin >> > >> > > -----Original Message----- >> > > From: Abhinandan Prateek >> > > Sent: Saturday, April 28, 2012 12:14 AM >> > > Subject: user credntials >> > > >> > > Team, >> > > There has been a change in the way passwords are being passed >> > > from the cloudstack UI. In case you have difficulty login with >> > > the new 3.* build, clear your browser cache. If you are using API >> > > to login then you need to provide >> > > MD5 encrypted passwords to login instead of plaintext. In case >> > > you still have issues drop me an email. >> > > -Abhi
