Hi Chip, Prasanna, Yes, the change is pretty straightforward, the reasoning is to make default password encoding more secure because the SHA256salted authenticator recently added by Hugo salts the passwords while the existing MD5 authenticator doesn't, and is the default. This change gives the CS admin the flexibility to choose the ordering of the encoders/authenticators. No new authenticator/encoder classes needed to be added, the existing ones are simply used better.
Upgrade scenarios were considered and these changes will have no effect on upgrades. Only new users and updated users will have their passwords encoded by the first valid encoder in the UserPasswordEncoder list. Existing users will still get authenticated as before since authentication passes through all the authenticators available in the UserAuthenticator list until one of them succeeds or all fail. Regards, Vijay -----Original Message----- From: Chip Childers [mailto:chip.child...@sungard.com] Sent: Wednesday, March 20, 2013 11:17 AM To: cloudstack-dev@incubator.apache.org Cc: Vijayendra Bhamidipati Subject: Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack On Wed, Mar 20, 2013 at 11:36:10PM +0530, prasanna wrote: > Is this a new feature or did I miss the discussion around this? It seems to be a straight forward change, but what's the reasoning for this Venkata? Are the upgrade scenarios considered here? > > On 20 March 2013 10:33, Venkata Siva Vijayendra Bhamidipati > <vijayendra.bhamidip...@citrix.com> wrote: > > > > ----------------------------------------------------------- > > This is an automatically generated e-mail. To reply, visit: > > https://reviews.apache.org/r/10039/ > > ----------------------------------------------------------- > > > > Review request for cloudstack and Kelven Yang. > > > > > > Description > > ------- > > > > Changing default password encoding mechanism from MD5 to SHA256Salted. > > > > > > This addresses bug CS-1734. > > > > > > Diffs > > ----- > > > > > > api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java > > 89673ea > > api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java > > fb29e1a > > api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java > > 1f31662 > > client/tomcatconf/componentContext.xml.in 016df0a > > client/tomcatconf/nonossComponentContext.xml.in 8f8dae5 > > developer/developer-prefill.sql 6300d35 > > > > plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthenticator.java > > 61eebe5 > > > > plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenticator.java > > 026125e > > > > plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java > > 52e7cb3 > > > > plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java > > 1b29f69 > > server/src/com/cloud/server/ManagementServerImpl.java b689f93 > > server/src/com/cloud/user/AccountManagerImpl.java b69f314 > > > > Diff: https://reviews.apache.org/r/10039/diff/ > > > > > > Testing > > ------- > > > > Manual testing done for both oss and nonoss components. Both admin and > > users added later are encoded according to the scheme configured, and > > authenticated by the same scheme. > > > > To change the order of the schemes, modify the following list properties in > > client/tomcatconf/nonossComponentContext.xml.in or > > client/tomcatconf/componentContext.xml.in as applicable, to the desired > > order: > > > > <property name="UserAuthenticators"> > > <list> > > <ref bean="SHA256SaltedUserAuthenticator"/> > > <ref bean="MD5UserAuthenticator"/> > > <ref bean="LDAPUserAuthenticator"/> > > <ref bean="PlainTextUserAuthenticator"/> > > </list> > > </property> > > > > <property name="UserPasswordEncoders"> > > <list> > > <ref bean="SHA256SaltedUserAuthenticator"/> > > <ref bean="MD5UserAuthenticator"/> > > <ref bean="LDAPUserAuthenticator"/> > > <ref bean="PlainTextUserAuthenticator"/> > > </list> > > > > > > Thanks, > > > > Venkata Siva Vijayendra Bhamidipati > > >
