[
https://issues.apache.org/jira/browse/CLOUDSTACK-2516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13659339#comment-13659339
]
Kishan Kavala commented on CLOUDSTACK-2516:
-------------------------------------------
Adding Prasanna's comments from the ML discussion:
This change happened when the authenticators were moved in to use adapters.
That change was a logical one to support multiple Auth mechanisms. Hugo made
the change in (bd58cecc) and it is the right way to do it.
Prior to Hugo's fix the MD5 authenticator,although called so, would only do a
plaintext match of passwords with the database. Also the
createUser() would simply persist the password coming in over with wire into
the db. Thereby it assumed tht the passwd would be pre-encoded as MD5 at the
client.
So, why did MD5 passwds get into the DB at all?
The API documentation asks that the client send in a md5 hashed password and
our ui script (account.js, sharedFunction.js) is hashing the passwords into md5.
There was probably a reason behind this. I'm not sure: Here's the comment
indicating the change:
"""
// Will: The MD5Authenticator is now a straight pass-through comparison of the
// the passwords because we will not assume that the password passed in has //
already been MD5 hashed. I am keeping the above code in case this requirement
changes // or people need examples of how to MD5 hash passwords in java.
if (!user.getPassword().equals(password)) {
return false
"""
After Hugo's fix the MD5 Authenticator (the default authenticator) now
_actually_ does the encoding and not depend on the client. But the UI code
still seems to exist and double encodes the md5 entry in the form.
So the fix should be
- UI removes the double hashing when account creation happens.
- Fix the API doc to ask user to send in plaintext password and allow
to act based on authenticator configured in componentsContext.xml
As an aside:
Hugo, the SHA256 authenticator you introduced seems to have been removed from
the componentContexts. Do you want to include it back, commented?
> Create User API compability broken now
> --------------------------------------
>
> Key: CLOUDSTACK-2516
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2516
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.1.0, 4.2.0
> Reporter: Chip Childers
> Assignee: Kishan Kavala
> Priority: Blocker
> Fix For: 4.1.0, 4.2.0
>
>
> From email thread:
> On Wed, May 15, 2013 at 04:22:14PM +0200, Ove Ewerlid wrote:
> > NB; The 402/410 deployments are on RHES64(OEL64) via RPMs built from
> > latest git repos.
> > /Ove
> >
> > On 05/15/2013 03:02 PM, Ove Ewerlid wrote:
> > >Hi!
> > >
> > >When testing a deploy script, that works as expected with 4.0.2, on 4.1
> > >I noticed that there was a need to pass plaintext passwords to
> > >createUser, rather then the documented MD5 hash. When passing MD5 hash,
> > >the password gets double MD5:hashed in 41.
> > >
> > >There is new code in 4.1 that encodes password using the authenticator
> > >plugins (encode method);
> > >
> > >cloudstack.4.1/server/src/com/cloud/user/AccountManagerImpl.java
> > >
> > > ...
> > > String encodedPassword = null;
> > > for (UserAuthenticator authenticator : _userAuthenticators) {
> > > encodedPassword = authenticator.encode(password);
> > > if (encodedPassword != null) {
> > > break;
> > > }
> > > }
> > > ...
> > >
> > >The 41 API docs still notes that an MD5 hash shall be passed in.
> > >What am I missing here?
> > >
> > >/Ove
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
