You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Musayev, Ilya" <im...@webmd.net> on 2013/06/06 18:10:57 UTC
[ACS42][DONATED FEATURE] CloudStack Advanced Password Management
Engine
ISWest contracted CloudSand to develop the Advanced Password Management Engine (APME). ISWest the owner and sponsor of APME, would like to donate the APME feature to Apache CloudStack Community. Special thanks goes to ISWest - Clayton Weise for supporting the Apache CloudStack Community and choosing to donate this feature.
For technical design questions, please reach out to me directly via this thread, or email me and CC Clayton Weise from ISWest.
Thanks
-ilya
Abstract:
Present versions of Apache CloudStack up until the latest version of 4.2 lack secure and granular password management control for domain admins and domain users.
Specifically, there is no way to enforce complex password rules, password expiration and password history by domain admin for domain users. Moreover, basic domain users cannot change their password, domain admin cannot lock and reset the password for domain user within the same domain.
Current state:
This feature has been developed on 4.0 code based and will be thoroughly tested in multiple environments. This feature will be ported to latest 4.2 code base and tested yet again by ISWest and CloudSand.
Feature details and Specifications:
Exceptions:
0) Dont use APME if CloudStack is configured to use external source (ldap/ad), display a friendly message on password manager page that this environment is using external user authentication mechanism
1. Create a page under domain user admin tab to enforce password
complexity for domain users by domain admin
1. Enforce usage of
1. Upper case, lower case characters and digits
2. Special characters such as !@#$%^&*()
3. Password character limit must be greater than
"x"
4. Password expiration of every x number of days
for all users in domain
5. Avoid last X password previously used kept in
password history table
6. Dont apply the password manager rule set on
specific users separated by coma in a field (for
service accounts in mind)
1. Enable ability for domain admin to change the password of domain
users
2. Enable ability for domain user to reset his password
3. APME task is configurable via global settings
4. Global customizable email notification is configured via global
settings with username and domain and password expiration date
in email body - passed on as attribute, i.e. <username>,<password>, <domain>, etc..
Conditions:
Rules apply to each cloudstack domain, each domain may have different rules
If new password complexity is defined on applicable existing user base, it will take effect on the next APME job execution. The password complexity rules will be effective immediately - if user was to change his password in the UI.
All users will get email notification that they have to change their password upon login to CS within grace period, set to -1 if you need immediate change, takes effect next time APME task is ran
If user changes the password prior to expiration, mark the change in table that user has reset the password
If complexity to password management has been relaxed from more restrictive set - do nothing
If new user is added and APME is enabled, user must adhere to APME rule set
Notification rules:
Email the user daily prior to the password is expiring and to notify that user needs to reset the password. The advanced email notification rule is configured in global settings
Display an event on users page that password is expiring in X days
RE: [ACS42][DONATED FEATURE] CloudStack Advanced Password
Management Engine
Posted by "Musayev, Ilya" <im...@webmd.net>.
> -----Original Message-----
> From: David Nalley [mailto:david@gnsa.us]
> Sent: Thursday, June 06, 2013 12:18 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [ACS42][DONATED FEATURE] CloudStack Advanced Password
> Management Engine
>
> On Thu, Jun 6, 2013 at 12:10 PM, Musayev, Ilya <im...@webmd.net>
> wrote:
> > ISWest contracted CloudSand to develop the Advanced Password
> Management Engine (APME). ISWest the owner and sponsor of APME,
> would like to donate the APME feature to Apache CloudStack Community.
> Special thanks goes to ISWest - Clayton Weise for supporting the Apache
> CloudStack Community and choosing to donate this feature.
> >
> >
>
> First - awesome of both of you to work on this and to be interested in
> donating the work.
>
> Second - is this up publicly anywhere for review?
>
> --David
David,
While the feature has been developed, once we pass all internal QA rounds between ISWest and CloudSand, we will work on porting this feature to separate branch of 4.2 on ACS ASF git, go through more QA and eventually merge it to master.
For now, I've just sent this email with specs to make community aware of what's coming soon.
Thanks
ilya
Re: [ACS42][DONATED FEATURE] CloudStack Advanced Password Management Engine
Posted by David Nalley <da...@gnsa.us>.
On Thu, Jun 6, 2013 at 1:36 PM, Animesh Chaturvedi
<an...@citrix.com> wrote:
>
>
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us]
>> Sent: Thursday, June 06, 2013 9:18 AM
>> To: dev@cloudstack.apache.org
>> Subject: Re: [ACS42][DONATED FEATURE] CloudStack Advanced Password
>> Management Engine
>>
>> On Thu, Jun 6, 2013 at 12:10 PM, Musayev, Ilya <im...@webmd.net>
>> wrote:
>> > ISWest contracted CloudSand to develop the Advanced Password
>> Management Engine (APME). ISWest the owner and sponsor of APME, would
>> like to donate the APME feature to Apache CloudStack Community. Special
>> thanks goes to ISWest - Clayton Weise for supporting the Apache
>> CloudStack Community and choosing to donate this feature.
>> >
>> >
>>
>> First - awesome of both of you to work on this and to be interested in
>> donating the work.
>>
>> Second - is this up publicly anywhere for review?
>>
>> --David
> [Animesh>] David this will have to go through IP clearance right?
Probably.
Ilya has already brought up the IP issue on private@ before beginning
the work, so it's not really a surprise.
--David
RE: [ACS42][DONATED FEATURE] CloudStack Advanced Password
Management Engine
Posted by Animesh Chaturvedi <an...@citrix.com>.
> -----Original Message-----
> From: David Nalley [mailto:david@gnsa.us]
> Sent: Thursday, June 06, 2013 9:18 AM
> To: dev@cloudstack.apache.org
> Subject: Re: [ACS42][DONATED FEATURE] CloudStack Advanced Password
> Management Engine
>
> On Thu, Jun 6, 2013 at 12:10 PM, Musayev, Ilya <im...@webmd.net>
> wrote:
> > ISWest contracted CloudSand to develop the Advanced Password
> Management Engine (APME). ISWest the owner and sponsor of APME, would
> like to donate the APME feature to Apache CloudStack Community. Special
> thanks goes to ISWest - Clayton Weise for supporting the Apache
> CloudStack Community and choosing to donate this feature.
> >
> >
>
> First - awesome of both of you to work on this and to be interested in
> donating the work.
>
> Second - is this up publicly anywhere for review?
>
> --David
[Animesh>] David this will have to go through IP clearance right?
Re: [ACS42][DONATED FEATURE] CloudStack Advanced Password Management Engine
Posted by David Nalley <da...@gnsa.us>.
On Thu, Jun 6, 2013 at 12:10 PM, Musayev, Ilya <im...@webmd.net> wrote:
> ISWest contracted CloudSand to develop the Advanced Password Management Engine (APME). ISWest the owner and sponsor of APME, would like to donate the APME feature to Apache CloudStack Community. Special thanks goes to ISWest - Clayton Weise for supporting the Apache CloudStack Community and choosing to donate this feature.
>
>
First - awesome of both of you to work on this and to be interested in
donating the work.
Second - is this up publicly anywhere for review?
--David