You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ra...@apache.org on 2013/07/17 07:08:31 UTC
git commit: updated refs/heads/4.2 to 95974bf
Updated Branches:
refs/heads/4.2 e37fc1345 -> 95974bfef
CLOUDSTACK-1815
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/95974bfe
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/95974bfe
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/95974bfe
Branch: refs/heads/4.2
Commit: 95974bfefb044ed0785fb148800cc450c2f86180
Parents: e37fc13
Author: radhikap <ra...@citrix.com>
Authored: Wed Jul 17 10:38:13 2013 +0530
Committer: radhikap <ra...@citrix.com>
Committed: Wed Jul 17 10:38:13 2013 +0530
----------------------------------------------------------------------
docs/en-US/password-storage-engine.xml | 68 +++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/95974bfe/docs/en-US/password-storage-engine.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/password-storage-engine.xml b/docs/en-US/password-storage-engine.xml
new file mode 100644
index 0000000..0566105
--- /dev/null
+++ b/docs/en-US/password-storage-engine.xml
@@ -0,0 +1,68 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
+%BOOK_ENTITIES;
+]>
+
+<!-- Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<section id="password-storage-engine">
+ <title>Changing the Default Password Encryption</title>
+ <para>Passwords are encoded when creating or updating users. &PRODUCT; allows you to determine the
+ default encoding and authentication mechanism for admin and user logins. A new configurable list
+ called <code>UserPasswordEncoders</code> to allow you to separately configure the order of
+ preference for encoding and authentication schemes. </para>
+ <para>Additionally, plain text user authenticator has been changed to use SHA256SALT as the
+ default encoding algorithm because it is more secure compared to MD5 hashing. It does a simple
+ string comparison between retrieved and supplied login passwords instead of comparing the
+ retrieved md5 hash of the stored password against the supplied md5 hash of the password because
+ clients no longer hash the password. The following method determines what encoding scheme is
+ used to encode the password supplied during user creation or modification. </para>
+ <para>When a new user is created, the user password is encoded by using the first valid encoder
+ loaded as per the sequence specified in the <code>UserPasswordEncoders</code> property in the
+ <filename>ComponentContext.xml</filename> or <filename>nonossComponentContext.xml</filename>
+ files. The order of authentication schemes is determined by the <code>UserAuthenticators</code>
+ property in the same files. When a new authenticator or encoder is added, you can add them to
+ this list. While doing so, ensure that the new authenticator or encoder is specified as a bean
+ in both these files. The administrator can change the ordering of both these properties as
+ preferred to change the order of schemes. Modify the following list properties available in
+ <filename>client/tomcatconf/nonossComponentContext.xml.in</filename> or
+ <filename>client/tomcatconf/componentContext.xml.in</filename> as applicable, to the desired
+ order:</para>
+ <programlisting><property name="UserAuthenticators">
+ <list>
+ <ref bean="SHA256SaltedUserAuthenticator"/>
+ <ref bean="MD5UserAuthenticator"/>
+ <ref bean="LDAPUserAuthenticator"/>
+ <ref bean="PlainTextUserAuthenticator"/>
+ </list>
+ </property>
+ <property name="UserPasswordEncoders">
+ <list>
+ <ref bean="SHA256SaltedUserAuthenticator"/>
+ <ref bean="MD5UserAuthenticator"/>
+ <ref bean="LDAPUserAuthenticator"/>
+ <ref bean="PlainTextUserAuthenticator"/>
+ </list></programlisting>
+ <para>In the above default ordering, SHA256Salt is used first for
+ <code>UserPasswordEncoders</code>. If the module is found and encoding returns a valid value,
+ the encoded password is stored in the user table's password column. If it fails for any reason,
+ the MD5UserAuthenticator will be tried next, and the order continues. For
+ <code>UserAuthenticators</code>, SHA256Salt authentication is tried first. If it succeeds, the
+ user is logged into the Management server. If it fails, MD5 is tried next, and attempts
+ continues until any of them succeeds and the user logs in . If none of them works, the user is
+ returned an invalid credential message. </para>
+</section>