On Thu, May 16, 2013 at 04:03:14PM +0200, Ove Ewerlid wrote: > I vote -1 for enabling plain text authentication allowing auth > directly against hashes. I'm not clear if this functionality exists > in ACS4.0, I would assume not. > > The API breakage reported was in createUser, where the ability to > pass in a hash has value. Think migration scenarios where only the > hash is known. > > createUser, createAccount and createDomain have, in v41, been > enhanced with parameters to allow specifying the UUID directly to > accommodate for external provisioning (or migration from older > systems). The ability to pass in existing hashes has value in these > scenarios. There is also value in being able to pass in a plain text > password and have it encrypted depending on how the external account > provisioning is done. Seems a new parameter is needed in createUser > to allow both while retaining backwards compat. Perhaps a parameter > specifying the type of hash or if the password is plain text that > needs to be encrypted. If this parameter is not present, the > assumption should be that the password is an MD5 hash, the old > behavior.
Great ideas for how to remain backward compatible Ove. Kishan - I think this is a strong case. Compatibility is required to keep the 4.* version number, and I think we've broken that compatibility as of right now. What do you think about Ove's ideas? > > /Ove > > On 05/16/2013 03:23 PM, Kishan Kavala wrote: > > > > > >>-----Original Message----- > >>From: Ove Ewerlid [mailto:ove.ewer...@oracle.com] > >>Sent: Thursday, 16 May 2013 6:25 PM > >>To: dev@cloudstack.apache.org > >>Subject: Re: Review Request: Added PlainTextAuthenticator > >> > >>On 05/16/2013 02:16 PM, Kishan Kavala wrote: > >>>Ove, > >>> Plain text authenticator will allow logging using the hash value. Or > >>> else, > >>clients sending MD5 hash will fail to login. This is primarily for backward > >>compatibility. > >>>To avoid logging in using has value itself, plain text authenticator can be > >>removed from auth adapter list, provided the client sends plain text instead > >>of hash. > >> > >>I'm not seeing the plain-text authenticator in ACS4.0 list of authenticators > >>(components.xml). MD5 and LDAP are listed. Help me out, where in ACS4.0 is > >>the code to allow login using the password hash itself? > >> > >>/Ove > > > > > >I checked 4.0 code. plain-text authenticator is not in components.xml but > >it is part of the code. > > > >plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java > > > >It does MD5 has compare instead of plain text (don't know why), so it may > >not serve u'r purpose even after adding it to components.xml > > > >> > >> > >>>~kishan > >>> > >>>>-----Original Message----- > >>>>From: Ove Ewerlid [mailto:ove.ewer...@oracle.com] > >>>>Sent: Thursday, 16 May 2013 5:33 PM > >>>>To: dev@cloudstack.apache.org; Kishan Kavala > >>>>Subject: Re: Review Request: Added PlainTextAuthenticator > >>>> > >>>>Hi Kishan! > >>>> > >>>>Did you verify that adding the plain text authenticator will not > >>>>allow login using the hash value itself? > >>>> > >>>> > >>>>from AccountManagerImpl.java; > >>>> ... getUserAccount ... > >>>> ... > >>>> boolean authenticated = false; > >>>> for(UserAuthenticator authenticator : _userAuthenticators) { > >>>> if (authenticator.authenticate(username, password, > >>>>domainId, requestParameters)) { > >>>> authenticated = true; > >>>> break; > >>>> } > >>>> } > >>>> ... > >>>> > >>>>/Ove > >>>> > >>>>On 05/16/2013 12:39 PM, Kishan Kavala wrote: > >>>>> > >>>>>----------------------------------------------------------- > >>>>>This is an automatically generated e-mail. To reply, visit: > >>>>>https://reviews.apache.org/r/11194/ > >>>>>----------------------------------------------------------- > >>>>> > >>>>>Review request for cloudstack and Chip Childers. > >>>>> > >>>>> > >>>>>Summary (updated) > >>>>>----------------- > >>>>> > >>>>>Added PlainTextAuthenticator > >>>>> > >>>>> > >>>>>Description (updated) > >>>>>------- > >>>>> > >>>>>Added PlainTextAuthenticator for backward compatibility. Removed > >>MD5 > >>>>auth from PlainTextAuthenticator. It just does plain text compare. > >>>>> > >>>>> > >>>>>This addresses bug CLOUDSTACK-2516. > >>>>> > >>>>> > >>>>>Diffs (updated) > >>>>>----- > >>>>> > >>>>> client/tomcatconf/applicationContext.xml.in 849c0bc > >>>>> client/tomcatconf/componentContext.xml.in ecd4a11 > >>>>> plugins/user-authenticators/plain- > >>>>text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java > >>>>52e7cb3 > >>>>> > >>>>>Diff: https://reviews.apache.org/r/11194/diff/ > >>>>> > >>>>> > >>>>>Testing (updated) > >>>>>------- > >>>>> > >>>>>Tested login with password sent as both MD5 hash and plaintext > >>>>> > >>>>> > >>>>>Thanks, > >>>>> > >>>>>Kishan Kavala > >>>>> > >>>>> > >>>> > >>>> > >>>>-- > >>>>Ove Everlid > >>>>System Administrator / Architect / SDN & Linux hacker > >>>>Mobile: +46706662363 > >>>>Office: +4618656913 (note EMEA Time Zone) > >> > >> > >>-- > >>Ove Everlid > >>System Administrator / Architect / SDN & Linux hacker > >>Mobile: +46706662363 > >>Office: +4618656913 (note EMEA Time Zone) > > > -- > Ove Everlid > System Administrator / Architect / SDN & Linux hacker > Mobile: +46706662363 > Office: +4618656913 (note EMEA Time Zone) >
