You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by Zeping Bai <bz...@apache.org> on 2021/08/10 07:11:14 UTC

[DISCUSS] New user authentication framework for Dashboard

Hi, everyone.

Currently, dashboard only supports basic username + password login mode.
Moreover, the password is stored in the configuration file and password hash
is not supported. There are problems with ease of use and security.

I have designed a scheme and a simple code prototype for this, and
published
it on GitHub [1]. I look forward to your feedback to help it become better.

[1]
https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216

Best regards!
Zeping Bai

Re: [DISCUSS] New user authentication framework for Dashboard

Posted by JunXu Chen <ch...@apache.org>.

+1 LGTM

This is more convenient for users to manage the account and password of the
dashboard

On Tue, 10 Aug 2021 at 21:08, Zeping Bai <bz...@apache.org> wrote:

> Hi, sorry, I didn't choose to reply to the email correctly just now, so
> I'll resend it for you.
>
> About "ease of use":
> 1. In the current version, the user is recorded in the configuration file,
> and the function of configuration resolution is relatively simple.
> When deployed in the docker environment, the configuration cannot
> be overwritten by means of environment variables.
> 2. At the same time, the configuration file cannot be dynamically
> monitored to change the dynamic application configuration.
>
> About "security": I mean some of the most basic functions, such as password
> hash storage.
>
> I consider changing to use etcd to save user information and save
> user's password after hashed.
>
> Best regards!
> Zeping Bai
>
> Ming Wen <we...@apache.org> 于2021年8月10日周二 下午3:37写道：
>
> > > There are problems with ease of use and security.
> >
> > I did not get your point. Can you give me an example?
> >
> > Thanks,
> > Ming Wen, Apache APISIX PMC Chair
> > Twitter: _WenMing
> >
> >
> > Zeping Bai <bz...@apache.org> 于2021年8月10日周二 下午3:11写道：
> >
> > > Hi, everyone.
> > >
> > > Currently, dashboard only supports basic username + password login
> mode.
> > > Moreover, the password is stored in the configuration file and password
> > > hash
> > > is not supported. There are problems with ease of use and security.
> > >
> > > I have designed a scheme and a simple code prototype for this, and
> > > published
> > > it on GitHub [1]. I look forward to your feedback to help it become
> > better.
> > >
> > > [1]
> > >
> >
> https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
> > >
> > > Best regards!
> > > Zeping Bai
> > >
> >
>

Re: [DISCUSS] New user authentication framework for Dashboard

Posted by Peter Zhu <st...@apache.org>.

> use etcd to save user information and save
user's password after hashed.

Agree with it.

Xiran Liu <li...@apache.org> 于2021年8月12日周四 下午2:48写道：

> agree with store the user info in etcd, it is easier to manage
>
> On 2021/08/10 13:08:03, Zeping Bai <bz...@apache.org> wrote:
> > Hi, sorry, I didn't choose to reply to the email correctly just now, so
> > I'll resend it for you.
> >
> > About "ease of use":
> > 1. In the current version, the user is recorded in the configuration
> file,
> > and the function of configuration resolution is relatively simple.
> > When deployed in the docker environment, the configuration cannot
> > be overwritten by means of environment variables.
> > 2. At the same time, the configuration file cannot be dynamically
> > monitored to change the dynamic application configuration.
> >
> > About "security": I mean some of the most basic functions, such as
> password
> > hash storage.
> >
> > I consider changing to use etcd to save user information and save
> > user's password after hashed.
> >
> > Best regards!
> > Zeping Bai
> >
> > Ming Wen <we...@apache.org> 于2021年8月10日周二 下午3:37写道：
> >
> > > > There are problems with ease of use and security.
> > >
> > > I did not get your point. Can you give me an example?
> > >
> > > Thanks,
> > > Ming Wen, Apache APISIX PMC Chair
> > > Twitter: _WenMing
> > >
> > >
> > > Zeping Bai <bz...@apache.org> 于2021年8月10日周二 下午3:11写道：
> > >
> > > > Hi, everyone.
> > > >
> > > > Currently, dashboard only supports basic username + password login
> mode.
> > > > Moreover, the password is stored in the configuration file and
> password
> > > > hash
> > > > is not supported. There are problems with ease of use and security.
> > > >
> > > > I have designed a scheme and a simple code prototype for this, and
> > > > published
> > > > it on GitHub [1]. I look forward to your feedback to help it become
> > > better.
> > > >
> > > > [1]
> > > >
> > >
> https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
> > > >
> > > > Best regards!
> > > > Zeping Bai
> > > >
> > >
> >
>

Re: [DISCUSS] New user authentication framework for Dashboard

Posted by Xiran Liu <li...@apache.org>.

agree with store the user info in etcd, it is easier to manage

On 2021/08/10 13:08:03, Zeping Bai <bz...@apache.org> wrote: 
> Hi, sorry, I didn't choose to reply to the email correctly just now, so
> I'll resend it for you.
> 
> About "ease of use":
> 1. In the current version, the user is recorded in the configuration file,
> and the function of configuration resolution is relatively simple.
> When deployed in the docker environment, the configuration cannot
> be overwritten by means of environment variables.
> 2. At the same time, the configuration file cannot be dynamically
> monitored to change the dynamic application configuration.
> 
> About "security": I mean some of the most basic functions, such as password
> hash storage.
> 
> I consider changing to use etcd to save user information and save
> user's password after hashed.
> 
> Best regards!
> Zeping Bai
> 
> Ming Wen <we...@apache.org> 于2021年8月10日周二 下午3:37写道：
> 
> > > There are problems with ease of use and security.
> >
> > I did not get your point. Can you give me an example?
> >
> > Thanks,
> > Ming Wen, Apache APISIX PMC Chair
> > Twitter: _WenMing
> >
> >
> > Zeping Bai <bz...@apache.org> 于2021年8月10日周二 下午3:11写道：
> >
> > > Hi, everyone.
> > >
> > > Currently, dashboard only supports basic username + password login mode.
> > > Moreover, the password is stored in the configuration file and password
> > > hash
> > > is not supported. There are problems with ease of use and security.
> > >
> > > I have designed a scheme and a simple code prototype for this, and
> > > published
> > > it on GitHub [1]. I look forward to your feedback to help it become
> > better.
> > >
> > > [1]
> > >
> > https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
> > >
> > > Best regards!
> > > Zeping Bai
> > >
> >
>

Re: [DISCUSS] New user authentication framework for Dashboard

Posted by Zeping Bai <bz...@apache.org>.

Hi, sorry, I didn't choose to reply to the email correctly just now, so
I'll resend it for you.

About "ease of use":
1. In the current version, the user is recorded in the configuration file,
and the function of configuration resolution is relatively simple.
When deployed in the docker environment, the configuration cannot
be overwritten by means of environment variables.
2. At the same time, the configuration file cannot be dynamically
monitored to change the dynamic application configuration.

About "security": I mean some of the most basic functions, such as password
hash storage.

I consider changing to use etcd to save user information and save
user's password after hashed.

Best regards!
Zeping Bai

Ming Wen <we...@apache.org> 于2021年8月10日周二 下午3:37写道：

> > There are problems with ease of use and security.
>
> I did not get your point. Can you give me an example?
>
> Thanks,
> Ming Wen, Apache APISIX PMC Chair
> Twitter: _WenMing
>
>
> Zeping Bai <bz...@apache.org> 于2021年8月10日周二 下午3:11写道：
>
> > Hi, everyone.
> >
> > Currently, dashboard only supports basic username + password login mode.
> > Moreover, the password is stored in the configuration file and password
> > hash
> > is not supported. There are problems with ease of use and security.
> >
> > I have designed a scheme and a simple code prototype for this, and
> > published
> > it on GitHub [1]. I look forward to your feedback to help it become
> better.
> >
> > [1]
> >
> https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
> >
> > Best regards!
> > Zeping Bai
> >
>

Re: [DISCUSS] New user authentication framework for Dashboard

Posted by Ming Wen <we...@apache.org>.

> There are problems with ease of use and security.

I did not get your point. Can you give me an example?

Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing


Zeping Bai <bz...@apache.org> 于2021年8月10日周二 下午3:11写道：

> Hi, everyone.
>
> Currently, dashboard only supports basic username + password login mode.
> Moreover, the password is stored in the configuration file and password
> hash
> is not supported. There are problems with ease of use and security.
>
> I have designed a scheme and a simple code prototype for this, and
> published
> it on GitHub [1]. I look forward to your feedback to help it become better.
>
> [1]
> https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
>
> Best regards!
> Zeping Bai
>