You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@maven.apache.org by og...@apache.org on 2009/02/12 19:30:13 UTC

svn commit: r743828 - in /maven/site/trunk/src/site/apt: encryption.apt guides/index.apt settings.apt

Author: ogusakov
Date: Thu Feb 12 18:30:12 2009
New Revision: 743828

URL: http://svn.apache.org/viewvc?rev=743828&view=rev
Log:
[MNG-553] added password encryption doco to the site

Added:
    maven/site/trunk/src/site/apt/encryption.apt   (with props)
Modified:
    maven/site/trunk/src/site/apt/guides/index.apt
    maven/site/trunk/src/site/apt/settings.apt

Added: maven/site/trunk/src/site/apt/encryption.apt
URL: http://svn.apache.org/viewvc/maven/site/trunk/src/site/apt/encryption.apt?rev=743828&view=auto
==============================================================================
--- maven/site/trunk/src/site/apt/encryption.apt (added)
+++ maven/site/trunk/src/site/apt/encryption.apt Thu Feb 12 18:30:12 2009
@@ -0,0 +1,149 @@
+ ----
+ Password Encryption
+ -----
+ Oleg Gusakov
+ -----
+ 10 February 2009
+ -----
+
+{Password Encryption}
+
+  [[1]] {{{Introduction}Introduction}}
+
+  [[2]] {{{How_to_create_master_password}How to create master password}}
+
+  [[3]] {{{How_to_encrypt_server_passwords}How to encrypt server passwords}}
+
+  [[4]] {{{How_to_keep_master_password_on_removable_drive}How to keep master password on removable drive}}
+  
+
+* {Introduction}
+
+ Maven 2.1.x trunk now supports server password decryption. This solution is a 
+ first implementation and will be enhanced and made more user-friendly in the 
+ nearest future. What is described here is working, but not too user-friendly, 
+ a Maven plugin to address password maintenance is in the works.
+
+ The main use case, addressed by this solution is:
+
+   * multiple users share the same build machine (server, CI box)
+   
+   * some users have the privilege to deploy Maven artifacts to repositories, some don't.
+   
+      ** this applies to any server operations, requiring authorization, not only deployment
+   
+   * settings.xml is shared between users
+
+ The implemented solution adds the following capabilities:
+
+   * authorized users have an additional settings-security.xml file in their ~/.m2 folder
+   
+      ** this file either contains encrypted <<master password>>, used to encrypt other passwords
+      
+      ** or it can contain a <<relocation>> - reference to another file, possibly on removable storage
+      
+      ** this password is created first via CLI for now
+      
+   * server entries in the <<<settings.xml>>> have passwords and/or keystore passphrases encrypted
+    
+      ** for now - this is done via CLI <<after>> master password has been created and stored in appropriate location
+
+* {How to create master password}
+
+ All necessary classes are in the maven uber jar which is in $\{maven.home}/lib  
+
+ Use the following command line:
+ 
++------------------------------------+
+java -cp maven-2.1.0-M2-SNAPSHOT-uber.jar \
+  org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher -m
++------------------------------------+
+
+ This command will prompt you for the master password and will produce an encrypted version of it, something like
+ 
++------------------------------------+
+{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}
++------------------------------------+
+
+ Please store this password in the <<<~/.m2/settings-security.xml>>>; it should look like 
+ 
++------------------------------------+
+<settingsSecurity>
+  <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
+</settingsSecurity>
++------------------------------------+
+
+ When this is done, you can start encrypting existing server passwords.
+
+* {How to encrypt server passwords}
+
+ You will have to use the same command line tool as for master password (see above), but parameter is different: <<-p>>
+
+ Use the following command line:
+ 
++------------------------------------+
+java -cp maven-2.1.0-M2-SNAPSHOT-uber.jar \  
+  org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher -p
++------------------------------------+
+
+ This command will prompt you for a password and will produce an encrypted version of it, something like
+ 
++------------------------------------+
+{COQLCE6DU6GtcS5P=}
++------------------------------------+
+
+ Cut-n-paste it into you <<<settings.xml>>> file in the server section. This will look like:
+ 
++------------------------------------+
+<settings>
+...
+  <servers>
+...
+    <server>
+      <id>my.server</id>
+      <username>foo</username>
+      <password>{COQLCE6DU6GtcS5P=}</password>
+    </server>
+...
+  </servers>
+...
+</settings>
++------------------------------------+
+
+ Then you can use, say, deploy plugin, to write to this server:
+ 
++------------------------------------+
+mvn deploy:deploy-file -Durl=https://maven.corp.com/repo \
+                       -DrepositoryId=my.server \
+                       -Dfile=your-artifact-1.0.jar \
++------------------------------------+
+
+
+
+* {How to keep master password on removable drive}
+
+ Create the master password exactly as described above, and store it on a 
+ removable drive, for instance on OSX, my USB drive mounts as <<</Volumes/mySecureUsb>>>, 
+ so I store 
+ 
++------------------------------------+
+<settingsSecurity>
+  <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
+</settingsSecurity>
++------------------------------------+
+
+ in the file <<</Volumes/mySecureUsb/secure/settings-security.xml>>>
+
+ And then create <<<~/.m2/settings-security.xml>>> with the following content:
+ 
++------------------------------------+
+<settingsSecurity>
+  <relocation>/Volumes/mySecureUsb/secure/settings-security.xml</relocation>
+
+</settingsSecurity>
++------------------------------------+
+
+ This assures that encryption will only work when the usb drive is mounted by OS. 
+ This addresses a use case where only certain people are authorized to deploy and 
+ are issued these devices.
+

Propchange: maven/site/trunk/src/site/apt/encryption.apt
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: maven/site/trunk/src/site/apt/encryption.apt
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Modified: maven/site/trunk/src/site/apt/guides/index.apt
URL: http://svn.apache.org/viewvc/maven/site/trunk/src/site/apt/guides/index.apt?rev=743828&r1=743827&r2=743828&view=diff
==============================================================================
--- maven/site/trunk/src/site/apt/guides/index.apt (original)
+++ maven/site/trunk/src/site/apt/guides/index.apt Thu Feb 12 18:30:12 2009
@@ -178,6 +178,8 @@
 
  * {{{../settings.html}Settings Overview}} ({{{../ref/current/maven-settings/settings.html}Technical Settings Descriptor}})
 
+ * {{{../encryption.html}Password Encryption}}
+
  * {{{../plugins/index.html}Core Plug-ins List}}
 
  * {{{../developers/mojo-api-specification.html}Mojo API}}

Modified: maven/site/trunk/src/site/apt/settings.apt
URL: http://svn.apache.org/viewvc/maven/site/trunk/src/site/apt/settings.apt?rev=743828&r1=743827&r2=743828&view=diff
==============================================================================
--- maven/site/trunk/src/site/apt/settings.apt (original)
+++ maven/site/trunk/src/site/apt/settings.apt Thu Feb 12 18:30:12 2009
@@ -18,6 +18,8 @@
 
     [[2]] {{{Servers}Servers}}
 
+       [[1]] {{{Password_Encryption}Password Encryption}}
+
     [[3]] {{{Mirrors}Mirrors}}
 
     [[4]] {{{Proxies}Proxies}}
@@ -175,6 +177,11 @@
 
   <Note:> If you use a private key to login to the server, make sure you omit the <<<\<password\>>>> element.
   Otherwise, the key will be ignored.
+  
+** {Password Encryption}
+
+ A new feature - server password and passphrase encryption has been added to 2.1.x and 3.0 trunks. See details  
+ {{{encryption.html}on this page}}
 
 * {Mirrors}

Re: svn commit: r743828 - in /maven/site/trunk/src/site/apt: encryption.apt guides/index.apt settings.apt

Posted by Brett Porter <br...@apache.org>.

Thanks for this!

I was just wondering if it is intended to be duplicated in the wiki or  
was that just an editing ground before putting it on the site?

On 13/02/2009, at 2:30 AM, ogusakov@apache.org wrote:

> Author: ogusakov
> Date: Thu Feb 12 18:30:12 2009
> New Revision: 743828
>
> URL: http://svn.apache.org/viewvc?rev=743828&view=rev
> Log:
> [MNG-553] added password encryption doco to the site
>
> Added:
>    maven/site/trunk/src/site/apt/encryption.apt   (with props)
> Modified:
>    maven/site/trunk/src/site/apt/guides/index.apt
>    maven/site/trunk/src/site/apt/settings.apt

--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org