I vote -1 for enabling plain text authentication allowing auth directly
against hashes. I'm not clear if this functionality exists in ACS4.0, I
would assume not.
The API breakage reported was in createUser, where the ability to pass
in a hash has value. Think migration scenarios where only the hash is known.
createUser, createAccount and createDomain have, in v41, been enhanced
with parameters to allow specifying the UUID directly to accommodate for
external provisioning (or migration from older systems). The ability to
pass in existing hashes has value in these scenarios. There is also
value in being able to pass in a plain text password and have it
encrypted depending on how the external account provisioning is done.
Seems a new parameter is needed in createUser to allow both while
retaining backwards compat. Perhaps a parameter specifying the type of
hash or if the password is plain text that needs to be encrypted. If
this parameter is not present, the assumption should be that the
password is an MD5 hash, the old behavior.
/Ove
On 05/16/2013 03:23 PM, Kishan Kavala wrote:
-----Original Message-----
From: Ove Ewerlid [mailto:ove.ewer...@oracle.com]
Sent: Thursday, 16 May 2013 6:25 PM
To: dev@cloudstack.apache.org
Subject: Re: Review Request: Added PlainTextAuthenticator
On 05/16/2013 02:16 PM, Kishan Kavala wrote:
Ove,
Plain text authenticator will allow logging using the hash value. Or else,
clients sending MD5 hash will fail to login. This is primarily for backward
compatibility.
To avoid logging in using has value itself, plain text authenticator can be
removed from auth adapter list, provided the client sends plain text instead
of hash.
I'm not seeing the plain-text authenticator in ACS4.0 list of authenticators
(components.xml). MD5 and LDAP are listed. Help me out, where in ACS4.0 is
the code to allow login using the password hash itself?
/Ove
I checked 4.0 code. plain-text authenticator is not in components.xml but it
is part of the code.
plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java
It does MD5 has compare instead of plain text (don't know why), so it may not
serve u'r purpose even after adding it to components.xml
~kishan
-----Original Message-----
From: Ove Ewerlid [mailto:ove.ewer...@oracle.com]
Sent: Thursday, 16 May 2013 5:33 PM
To: dev@cloudstack.apache.org; Kishan Kavala
Subject: Re: Review Request: Added PlainTextAuthenticator
Hi Kishan!
Did you verify that adding the plain text authenticator will not
allow login using the hash value itself?
from AccountManagerImpl.java;
... getUserAccount ...
...
boolean authenticated = false;
for(UserAuthenticator authenticator : _userAuthenticators) {
if (authenticator.authenticate(username, password,
domainId, requestParameters)) {
authenticated = true;
break;
}
}
...
/Ove
On 05/16/2013 12:39 PM, Kishan Kavala wrote:
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11194/
-----------------------------------------------------------
Review request for cloudstack and Chip Childers.
Summary (updated)
-----------------
Added PlainTextAuthenticator
Description (updated)
-------
Added PlainTextAuthenticator for backward compatibility. Removed
MD5
auth from PlainTextAuthenticator. It just does plain text compare.
This addresses bug CLOUDSTACK-2516.
Diffs (updated)
-----
client/tomcatconf/applicationContext.xml.in 849c0bc
client/tomcatconf/componentContext.xml.in ecd4a11
plugins/user-authenticators/plain-
text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java
52e7cb3
Diff: https://reviews.apache.org/r/11194/diff/
Testing (updated)
-------
Tested login with password sent as both MD5 hash and plaintext
Thanks,
Kishan Kavala
--
Ove Everlid
System Administrator / Architect / SDN & Linux hacker
Mobile: +46706662363
Office: +4618656913 (note EMEA Time Zone)
--
Ove Everlid
System Administrator / Architect / SDN & Linux hacker
Mobile: +46706662363
Office: +4618656913 (note EMEA Time Zone)
--
Ove Everlid
System Administrator / Architect / SDN & Linux hacker
Mobile: +46706662363
Office: +4618656913 (note EMEA Time Zone)
