You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/08/13 07:11:41 UTC

[GitHub] [druid] maytasm commented on a change in pull request #11590: Clarify when changes to credentialIterations take effect

maytasm commented on a change in pull request #11590:
URL: https://github.com/apache/druid/pull/11590#discussion_r688294898



##########
File path: docs/development/extensions-core/druid-basic-security.md
##########
@@ -94,12 +94,19 @@ The remaining examples of authenticator configuration use either `MyBasicMetadat
 |`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes|
 
 ##### Credential iterations and API performance
-The credential iterations setting affects API performance, including query times. The default setting of 10000 is intentionally high to prevent attackers from using brute force to guess passwords, but it adds latency.
 
-You can decrease the number of iterations to speed up API response times, but it potentially exposes your system to dictionary attacks. Therefore, only reduce the number of iterations if your environment fits one of the following conditions:
+As noted above, `credentialIterations` determines the number of iterations used to hash a password. A higher number increases security, but costs more in terms of CPU utilization. 
+
+This cost affects API performance, including query times. The default setting of 10000 is intentionally high to prevent attackers from using brute force to guess passwords.
+
+You can decrease the number of iterations to speed up API response times, but it may expose your system to dictionary attacks. Therefore, only reduce the number of iterations if your environment fits one of the following conditions:
 - **All** passwords are long and random which make them as safe as a randomly-generated token.
 - You have secured network access to Druid so that no attacker can execute a dictionary attack against it.
+
+It is important to note that changing the `credentialIterations` value only affects the number of password hashing iterations of newly created users or users who have updated their password via the `/druid-ext/basic-security/authentication/db/basic/users/{userName}/credentials` endpoint after you change the setting. 

Review comment:
       This is only true for `credentialsValidator.type=metadata`. If Druid auth is using `credentialsValidator.type=ldap`, then Druid will automatically use the new `credentialIterations` the next time user try to login (in addition to when user update their password and when new user are created).




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org