I think Abhi's proposal would avoid all this, yes? I am not sure if I like have a single parameter that can be either MD5 (as in 2.2.x) , either MD5 or plaintext (as in 3.0.x), or plaintext (as in some future release when MD5 has been deprecated). The alternative is to just introduce a new parameter (for cleartext password), and exactly one of that new param or the existing param must be specified.
> -----Original Message----- > From: Will Chan [mailto:will.c...@citrix.com] > Sent: Monday, April 30, 2012 11:21 AM > To: cloudstack-dev@incubator.apache.org > Subject: RE: user credntials > > I also want to point out that this is simply the default behavior for a brand > new CS install and as Chiradeep pointed out, it only applies to the session- > based login that requires a username/password. > > We should not be changing this behavior by default on an upgrade because > some people may just use this as-is with zero modification. If there are CS > admins that want to change this behavior, they would have had to do one or > more of the following: > > - Create their own custom Auth adapter > - Modification of components.xml to configure this > - Perhaps customizing the UI to pass in the password whether hashed or not. > > For the people that have gone about this way, after a CS update, there > should be no need to change anything other than perhaps the UI as their > existing adapter and components XML should refer to their customer > adapters. > > Will > > -----Original Message----- > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > Sent: Monday, April 30, 2012 10:06 AM > To: cloudstack-dev@incubator.apache.org > Subject: Re: user credntials > > Just wanted to point out this only affects the session-based logins via the > GUI (although one can script this kind of API interaction as well). > API-key-based authentication continues as before. > > On 4/30/12 9:15 AM, "Abhinandan Prateek" > <abhinandan.prat...@citrix.com> > wrote: > > >The deprecation of MD5 can be done in a graceful fashion with the > >following scheme: > > > >We add a Authenticator which can take plaintext password and add it > >after the MD5 authenticator. Anyone who is already using the MD5 > >password in API will continue to function as they are now. > >Anyone upgrading is not affected. > > > >Any new integrator/cloudstack user can start using plaintext password > >in API without issues, as there is a plaintext authenticator in the chain. > >Again the use of SSL ensures channel security and keeps the password > >safe as is done by countless other websites taking plaintext passwords > >from the users. > > > >With plaintext passwords cloudstack can now seamlessly work with > >external authentication systems as well. With this we do not need a new > >parameter too, probably a warning in the logs saying that this is > >going to be deprecated soon. > > > >-Abhi > > > >-----Original Message----- > >From: Kevin Kluge [mailto:kevin.kl...@citrix.com] > >Sent: Monday, April 30, 2012 9:30 PM > >To: Will Chan; cloudstack-dev@incubator.apache.org > >Subject: RE: user credntials > > > >This means the client has to figure out whether to send MD5 hash or > >cleartext on a per-cloud basis. That seems unreasonable. > > > >Why don't we just send plain text passwords and expect the use of SSL? > >We'd have to add a new parameter and deprecate the current MD5 hash > >password. > > > >-kevin > > > >> -----Original Message----- > >> From: Will Chan > >> Sent: Saturday, April 28, 2012 4:39 PM > >> To: cloudstack-dev@incubator.apache.org; Kevin Kluge > >> Subject: RE: user credntials > >> > >> The service provider (or whomever is hosting CloudStack) needs to > >> make that decision. Using the default CS installation, we default to > >> the MD5UserAuthenticator which requires passwords passed to the login > >> command to be MD5 hashed. This got changed to plain-text in 3.0 and > >> must be reverted back to MD5 in 3.0.2 when the upgrade patch is > >> released or anyone upgrading could get affected. > >> > >> If the service/hosting provider wants to use a different hashing > >> algorithm - > >> OR- none, he can create or configure CS to use that adapter. > >> However, they are responsible for informing their customer. > >> > >> Will > >> > >> ________________________________________ > >> From: Abhinandan Prateek [abhinandan.prat...@citrix.com] > >> Sent: Saturday, April 28, 2012 3:28 PM > >> To: Kevin Kluge; cloudstack-dev@incubator.apache.org > >> Subject: RE: user credntials > >> > >> The use of plaintext passwords in API is required for only those > >> cloudstack users who wish to use an external authentication mechanism > >> and will be documented. > >> The support for the encoded password has to be kept as is due to > >> existing users of cloudstack. > >> > >> > >> -----Original Message----- > >> From: Kevin Kluge > >> Sent: Sunday, April 29, 2012 1:09 AM > >> To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org > >> Subject: RE: user credntials > >> > >> How would an API client know to use cleartext or MD5 hash? > >> > >> > >> > -----Original Message----- > >> > From: Abhinandan Prateek > >> > Sent: Saturday, April 28, 2012 7:56 AM > >> > To: Kevin Kluge; cloudstack-dev@incubator.apache.org > >> > Subject: RE: user credntials > >> > > >> > In 2.2.* we were passing MD5 encoded password via UI. For Acton it > >> > changed to unencrypted password as that was the only way to have > >> > external systems to authenticate cloudstack users for example > >> > external > >> LDAP. > >> > This is being reverted back to MD5 encoded password in 3.0.2 as it > >> > was. It will be left to the admin to configure this encryption > >> > mechanism in case LDAP is in use. > >> > > >> > -Abhi > >> > > >> > -----Original Message----- > >> > From: Kevin Kluge > >> > Sent: Saturday, April 28, 2012 8:16 PM > >> > To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org > >> > Subject: RE: user credntials > >> > > >> > Abhi, is this a backwards incompatible API change? Also, what does > >>it > >> mean > >> > for upgrade? > >> > > >> > I thought we always sent MD5 hashed passwords from UI to MS. Can > >> > you explain the change a bit more? > >> > > >> > -kevin > >> > > >> > > -----Original Message----- > >> > > From: Abhinandan Prateek > >> > > Sent: Saturday, April 28, 2012 12:14 AM > >> > > Subject: user credntials > >> > > > >> > > Team, > >> > > There has been a change in the way passwords are being passed > >> > > from the cloudstack UI. In case you have difficulty login with > >> > > the new 3.* build, clear your browser cache. If you are using API > >> > > to login then you need to provide > >> > > MD5 encrypted passwords to login instead of plaintext. In case > >> > > you still have issues drop me an email. > >> > > -Abhi
