> -----Original Message-----
> From: Chip Childers [mailto:chip.child...@sungard.com]
> Sent: Wednesday, March 20, 2013 5:56 PM
> To: cloudstack-...@incubator.apache.org
> Cc: Vijayendra Bhamidipati
> Subject: Re: Review Request: Make SHA256Salt the default password
> encoding and authentication mechanism for cloudstack
>
> On Wed, Mar 20, 2013 at 08:42:17PM -0400, David Nalley wrote:
> > On Wed, Mar 20, 2013 at 8:34 PM, Chip Childers
> > <chip.child...@sungard.com> wrote:
> > > On Wed, Mar 20, 2013 at 11:26:50AM -0700, Vijayendra Bhamidipati
> wrote:
> > >> Hi Chip, Prasanna,
> > >>
> > >> Yes, the change is pretty straightforward, the reasoning is to make
> default password encoding more secure because the SHA256salted
> authenticator recently added by Hugo salts the passwords while the existing
> MD5 authenticator doesn't, and is the default. This change gives the CS
> admin the flexibility to choose the ordering of the encoders/authenticators.
> No new authenticator/encoder classes needed to be added, the existing
> ones are simply used better.
> > >>
> > >> Upgrade scenarios were considered and these changes will have no
> effect on upgrades. Only new users and updated users will have their
> passwords encoded by the first valid encoder in the UserPasswordEncoder
> list. Existing users will still get authenticated as before since
> authentication
> passes through all the authenticators available in the UserAuthenticator list
> until one of them succeeds or all fail.
> > >>
> > >> Regards,
> > >> Vijay
> > >
> > > Does everyone believe that this is a valid change for 4.1? Or
> > > should we wait for 4.2 or 4.1.1?
> > >
> >
> > 4.2
> > Review request is for master
> > Lets try an minimize change to 4.1 if at all possible.
> >
> > --David
> >
>
> The bug was marked for 4.1, which was the confusion. I've changed the bug
> fix-version to 4.2. This can be reviewed by Hugo or Kelvin as requested by
> Vijayendra.
[Animesh>] Yes should be for 4.2 definitely not for 4.1
