Re: [ACS41] Current blocker status
On Wed, May 15, 2013 at 03:07:41PM -0700, Animesh Chaturvedi wrote: CLOUDSTACK-2516 Create User API compability broken now Nobody has taken this on yet. [Animesh] I will update the JIRA ticket, looks like this was changed by Kishan to use clear text password. I think functionality wise it will still work but will cause double encryption. We will have to wait for Kishan to respond on this. I think Kishan only added regions support. That piece of code has existed for a long time. I'm guessing something in the order of authenticators is going wrong although componentContext.xml.in is using MD5 auth first. Investigating .. -- Prasanna., Powered by BigRock.com
RE: [ACS41] Current blocker status
-Original Message- From: Prasanna Santhanam [mailto:t...@apache.org] Sent: Thursday, 16 May 2013 11:51 AM To: dev@cloudstack.apache.org Subject: Re: [ACS41] Current blocker status On Wed, May 15, 2013 at 03:07:41PM -0700, Animesh Chaturvedi wrote: CLOUDSTACK-2516 Create User API compability broken now Nobody has taken this on yet. [Animesh] I will update the JIRA ticket, looks like this was changed by Kishan to use clear text password. I think functionality wise it will still work but will cause double encryption. We will have to wait for Kishan to respond on this. I think Kishan only added regions support. That piece of code has existed for a long time. I'm guessing something in the order of authenticators is going wrong although componentContext.xml.in is using MD5 auth first. Investigating .. [KK] I'm looking into this issue and update with my findings. -- Prasanna., Powered by BigRock.com
Re: [ACS41] Current blocker status
On Thu, May 16, 2013 at 11:51:06AM +0530, Prasanna Santhanam wrote:
On Wed, May 15, 2013 at 03:07:41PM -0700, Animesh Chaturvedi wrote:
CLOUDSTACK-2516
Create User API compability broken now
Nobody has taken this on yet.
[Animesh] I will update the JIRA ticket, looks like this was
changed by Kishan to use clear text password. I think functionality
wise it will still work but will cause double encryption. We will
have to wait for Kishan to respond on this.
I think Kishan only added regions support. That piece of code has
existed for a long time. I'm guessing something in the order of
authenticators is going wrong although componentContext.xml.in is
using MD5 auth first. Investigating ..
This change happened when the authenticators were moved in to use
adapters. That change was a logical one to support multiple Auth
mechanisms. Hugo made the change in (bd58cecc) and it is the right way
to do it.
Prior to Hugo's fix the MD5 authenticator,although called so, would
only do a plaintext match of passwords with the database. Also the
createUser() would simply persist the password coming in over with
wire into the db. Thereby it assumed tht the passwd would be
pre-encoded as MD5 at the client.
So, why did MD5 passwds get into the DB at all?
The API documentation asks that the client send in a md5 hashed
password and our ui script (account.js, sharedFunction.js) is hashing
the passwords into md5.
There was probably a reason behind this. I'm not sure: Here's the
comment indicating the change:
// Will: The MD5Authenticator is now a straight pass-through comparison of the
// the passwords because we will not assume that the password passed in has
// already been MD5 hashed. I am keeping the above code in case this
requirement changes
// or people need examples of how to MD5 hash passwords in java.
if (!user.getPassword().equals(password)) {
return false
After Hugo's fix the MD5 Authenticator (the default authenticator)
now _actually_ does the encoding and not depend on the client. But the
UI code still seems to exist and double encodes the md5 entry in the
form.
So the fix should be
- UI removes the double hashing when account creation happens.
- Fix the API doc to ask user to send in plaintext password and allow
to act based on authenticator configured in componentsContext.xml
As an aside:
Hugo, the SHA256 authenticator you introduced seems to have been
removed from the componentContexts. Do you want to include it back,
commented?
Thanks,
--
Prasanna.,
Powered by BigRock.com
RE: [ACS41] Current blocker status
-Original Message-
From: Kishan Kavala [mailto:kishan.kav...@citrix.com]
Sent: Thursday, 16 May 2013 1:24 PM
To: dev@cloudstack.apache.org
Subject: RE: [ACS41] Current blocker status
-Original Message-
From: Prasanna Santhanam [mailto:t...@apache.org]
Sent: Thursday, 16 May 2013 12:39 PM
To: dev@cloudstack.apache.org
Subject: Re: [ACS41] Current blocker status
On Thu, May 16, 2013 at 11:51:06AM +0530, Prasanna Santhanam wrote:
On Wed, May 15, 2013 at 03:07:41PM -0700, Animesh Chaturvedi wrote:
CLOUDSTACK-2516
Create User API compability broken now
Nobody has taken this on yet.
[Animesh] I will update the JIRA ticket, looks like this was
changed by Kishan to use clear text password. I think
functionality wise it will still work but will cause double
encryption. We will have to wait for Kishan to respond on this.
I think Kishan only added regions support. That piece of code has
existed for a long time. I'm guessing something in the order of
authenticators is going wrong although componentContext.xml.in is
using MD5 auth first. Investigating ..
This change happened when the authenticators were moved in to use
adapters. That change was a logical one to support multiple Auth
mechanisms. Hugo made the change in (bd58cecc) and it is the right way
to do it.
Prior to Hugo's fix the MD5 authenticator,although called so, would
only do a plaintext match of passwords with the database. Also the
createUser() would simply persist the password coming in over with
wire into the db. Thereby it assumed tht the passwd would be
pre-encoded as MD5 at the client.
So, why did MD5 passwds get into the DB at all?
The API documentation asks that the client send in a md5 hashed
password and our ui script (account.js, sharedFunction.js) is hashing
the passwords into md5.
There was probably a reason behind this. I'm not sure: Here's the
comment indicating the change:
// Will: The MD5Authenticator is now a straight pass-through
comparison of the // the passwords because we will not assume that the
password passed in has // already been MD5 hashed. I am keeping the
above code in case this requirement changes // or people need examples
of how to MD5 hash passwords in java.
if (!user.getPassword().equals(password)) {
return false
After Hugo's fix the MD5 Authenticator (the default authenticator) now
_actually_ does the encoding and not depend on the client. But the UI
code still seems to exist and double encodes the md5 entry in the form.
So the fix should be
- UI removes the double hashing when account creation happens.
- Fix the API doc to ask user to send in plaintext password and allow
to act based on authenticator configured in componentsContext.xml
As an aside:
Hugo, the SHA256 authenticator you introduced seems to have been
removed from the componentContexts. Do you want to include it back,
commented?
Thanks,
--
Prasanna.,
Powered by BigRock.com
Agree with Prasanna. Authenticator changes were introduced via commit
bd58cecc prior to Regions related changes.
Couple of ways to fix this now:
1. UI/client sends plain text as suggested by Prasanna along with api doc
fix.
This would mean breaking backward compatibility but it's the clean way.
2. Other option is to add PlainTextAuthenticator in ComponentContext to
support existing clients. Master already has these changes.
I've submitted patch [1] to add PlainTextAuthenticator. This will solve the
backward compatibility issue.
- Recommended option is for clients to send plain text instead of MD5 after
upgrading to 4.1.
- For those who do not want to change their client, componentContext.xml has to
be changed to use PlainTextAuthenticator as default authenticator.
Following scenario should be avoided:
- Client sends MD5 hash and default authenticator is MD5UserAuthenticator.
Password stored in DB will be MD5 hashed twice. This will work as long client
keeps sending MD5 hash and default authenticator is MD5UserAuthenticator.
If the default authenticator is changed or if client changes to send plain
text, existing users won't be able to login. Things will get even more complex
when SHA256 becomes the default in 4.2.
[1] https://reviews.apache.org/r/11194/
Re: [ACS41] Current blocker status
See this discussion
http://s.apache.org/gW
On 5/16/13 12:53 AM, Kishan Kavala kishan.kav...@citrix.com wrote:
-Original Message-
From: Prasanna Santhanam [mailto:t...@apache.org]
Sent: Thursday, 16 May 2013 12:39 PM
To: dev@cloudstack.apache.org
Subject: Re: [ACS41] Current blocker status
On Thu, May 16, 2013 at 11:51:06AM +0530, Prasanna Santhanam wrote:
On Wed, May 15, 2013 at 03:07:41PM -0700, Animesh Chaturvedi wrote:
CLOUDSTACK-2516
Create User API compability broken now
Nobody has taken this on yet.
[Animesh] I will update the JIRA ticket, looks like this was
changed by Kishan to use clear text password. I think functionality
wise it will still work but will cause double encryption. We will
have to wait for Kishan to respond on this.
I think Kishan only added regions support. That piece of code has
existed for a long time. I'm guessing something in the order of
authenticators is going wrong although componentContext.xml.in is
using MD5 auth first. Investigating ..
This change happened when the authenticators were moved in to use
adapters. That change was a logical one to support multiple Auth
mechanisms. Hugo made the change in (bd58cecc) and it is the right way
to
do it.
Prior to Hugo's fix the MD5 authenticator,although called so, would
only do a
plaintext match of passwords with the database. Also the
createUser() would simply persist the password coming in over with wire
into
the db. Thereby it assumed tht the passwd would be pre-encoded as MD5
at
the client.
So, why did MD5 passwds get into the DB at all?
The API documentation asks that the client send in a md5 hashed password
and our ui script (account.js, sharedFunction.js) is hashing the
passwords into
md5.
There was probably a reason behind this. I'm not sure: Here's the
comment
indicating the change:
// Will: The MD5Authenticator is now a straight pass-through comparison
of
the // the passwords because we will not assume that the password passed
in has // already been MD5 hashed. I am keeping the above code in case
this
requirement changes // or people need examples of how to MD5 hash
passwords in java.
if (!user.getPassword().equals(password)) {
return false
After Hugo's fix the MD5 Authenticator (the default authenticator) now
_actually_ does the encoding and not depend on the client. But the UI
code
still seems to exist and double encodes the md5 entry in the form.
So the fix should be
- UI removes the double hashing when account creation happens.
- Fix the API doc to ask user to send in plaintext password and allow
to act based on authenticator configured in componentsContext.xml
As an aside:
Hugo, the SHA256 authenticator you introduced seems to have been
removed from the componentContexts. Do you want to include it back,
commented?
Thanks,
--
Prasanna.,
Powered by BigRock.com
Agree with Prasanna. Authenticator changes were introduced via commit
bd58cecc prior to Regions related changes.
Couple of ways to fix this now:
1. UI/client sends plain text as suggested by Prasanna along with api
doc fix. This would mean breaking backward compatibility but it's the
clean way.
2. Other option is to add PlainTextAuthenticator in ComponentContext to
support existing clients. Master already has these changes.
Re: [ACS41] Current blocker status
On Wed, May 15, 2013 at 03:07:41PM -0700, Animesh Chaturvedi wrote: -Original Message- From: Chip Childers [mailto:chip.child...@sungard.com] Sent: Wednesday, May 15, 2013 12:43 PM To: dev@cloudstack.apache.org Subject: [ACS41] Current blocker status The following are currently blocking a new RC for 4.1.0: CLOUDSTACK-2039 Improve console access security with 128-bit AES encryption and securely- randomized key generation This needs to be addressed. Kelven, do you mind reviewing Wido's error? [Animesh] Kelven is offline for next two weeks, we will need someone else to look into this issue This was an upgrade process issue for Wido. Bug resolved. CLOUDSTACK-2463 CS Upgrade 2.Upgrade2.14 to 4.1.0 failed due to no public network found (configuration : advanced network with security groups) This is being discussed in another thread. [Animesh] I will respond in the other thread We have a serious decision to make now... we don't have anyone currently working on VMware support, so we still have stranded users even if we pull the feature in earlier than 4.2. CLOUDSTACK-2492 System VM Clock Drift This is also being discussed in another thread. We have fixes for KVM and VMware, but do not have an answer for XenServer that doesn't involve rebuilding the system VM template. CLOUDSTACK-2516 Create User API compability broken now Nobody has taken this on yet. [Animesh] I will update the JIRA ticket, looks like this was changed by Kishan to use clear text password. I think functionality wise it will still work but will cause double encryption. We will have to wait for Kishan to respond on this. Outstanding work: document the upgrade scenario and pull the fix into master.
Re: [ACS41] Current blocker status
On Thu, May 16, 2013 at 07:12:14PM +, Chiradeep Vittal wrote: See this discussion http://s.apache.org/gW Nice - thanks for digging it up from the archives. I couldn't find it and had to write a long email explaining things :) -- Prasanna., Powered by BigRock.com
RE: [ACS41] Current blocker status
-Original Message- From: Chip Childers [mailto:chip.child...@sungard.com] Sent: Wednesday, May 15, 2013 12:43 PM To: dev@cloudstack.apache.org Subject: [ACS41] Current blocker status The following are currently blocking a new RC for 4.1.0: CLOUDSTACK-2039 Improve console access security with 128-bit AES encryption and securely- randomized key generation This needs to be addressed. Kelven, do you mind reviewing Wido's error? [Animesh] Kelven is offline for next two weeks, we will need someone else to look into this issue CLOUDSTACK-2463 CS Upgrade 2.Upgrade2.14 to 4.1.0 failed due to no public network found (configuration : advanced network with security groups) This is being discussed in another thread. [Animesh] I will respond in the other thread CLOUDSTACK-2492 System VM Clock Drift This is also being discussed in another thread. CLOUDSTACK-2516 Create User API compability broken now Nobody has taken this on yet. [Animesh] I will update the JIRA ticket, looks like this was changed by Kishan to use clear text password. I think functionality wise it will still work but will cause double encryption. We will have to wait for Kishan to respond on this.
