From d93f06dfc73f0178556a64a0346ac286899a24f2 Mon Sep 17 00:00:00 2001 From: radhikap Date: Tue, 27 Aug 2013 12:26:28 +0530 Subject: [PATCH] review comments for CLOUDSTACK-1815 --- docs/en-US/password-storage-engine.xml | 30 +++++++++++++++----------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/docs/en-US/password-storage-engine.xml b/docs/en-US/password-storage-engine.xml index 05661055e9b..8bbc96fcac2 100644 --- a/docs/en-US/password-storage-engine.xml +++ b/docs/en-US/password-storage-engine.xml @@ -22,11 +22,13 @@
Changing the Default Password Encryption Passwords are encoded when creating or updating users. &PRODUCT; allows you to determine the - default encoding and authentication mechanism for admin and user logins. A new configurable list - called UserPasswordEncoders to allow you to separately configure the order of - preference for encoding and authentication schemes. - Additionally, plain text user authenticator has been changed to use SHA256SALT as the - default encoding algorithm because it is more secure compared to MD5 hashing. It does a simple + default encoding and authentication mechanism for admin and user logins. Two new configurable + lists have been introduced—userPasswordEncoders and userAuthenticators. + userPasswordEncoders allows you to configure the order of preference for encoding passwords, + whereas userAuthenticators allows you to configure the order in which authentication schemes are + invoked to validate user passwords. + Additionally, the plain text user authenticator has been modified not to convert supplied + passwords to their md5 sums before checking them with the database entries. It performs a simple string comparison between retrieved and supplied login passwords instead of comparing the retrieved md5 hash of the stored password against the supplied md5 hash of the password because clients no longer hash the password. The following method determines what encoding scheme is @@ -35,11 +37,15 @@ loaded as per the sequence specified in the UserPasswordEncoders property in the ComponentContext.xml or nonossComponentContext.xml files. The order of authentication schemes is determined by the UserAuthenticators - property in the same files. When a new authenticator or encoder is added, you can add them to - this list. While doing so, ensure that the new authenticator or encoder is specified as a bean - in both these files. The administrator can change the ordering of both these properties as - preferred to change the order of schemes. Modify the following list properties available in - client/tomcatconf/nonossComponentContext.xml.in or + property in the same files. If Non-OSS components, such as VMware environments, are to be + deployed, modify the UserPasswordEncoders and UserAuthenticators lists + in the nonossComponentContext.xml file, for OSS environments, such as + XenServer or KVM, modify the ComponentContext.xml file. It is recommended + to make uniform changes across both the files. When a new authenticator or encoder is added, you + can add them to this list. While doing so, ensure that the new authenticator or encoder is + specified as a bean in both these files. The administrator can change the ordering of both these + properties as preferred to change the order of schemes. Modify the following list properties + available in client/tomcatconf/nonossComponentContext.xml.in or client/tomcatconf/componentContext.xml.in as applicable, to the desired order: <property name="UserAuthenticators"> @@ -62,7 +68,7 @@ the encoded password is stored in the user table's password column. If it fails for any reason, the MD5UserAuthenticator will be tried next, and the order continues. For UserAuthenticators, SHA256Salt authentication is tried first. If it succeeds, the - user is logged into the Management server. If it fails, MD5 is tried next, and attempts - continues until any of them succeeds and the user logs in . If none of them works, the user is + user is logged into the Management server. If it fails, md5 is tried next, and attempts + continues until any of them succeeds and the user logs in . If none of them works, the user is returned an invalid credential message.