Gswauth-security-enhancements
1. super_admin password is kept as plain text in proxy-server.
2. Best practices for storing passwords is to use a random salt. In current implementation of gluster-swift the salt used with sha1 to encrypt user password is a value picked from proxy-server.conf file or default 'gswauthsalt'.
Unix standard used in /etc/shadow can be used as reference.
Steps:-
For 1.
# echo 'gswauthkey'
6964e49a50e1576
# vi /etc/swift/
# cat /etc/swift/
super_admin_key = 6964e49a50e1576
# swift-init main restart
Signal proxy-server pid: 2496 signal: 15
Signal container-server pid: 2497 signal: 15
Signal account-server pid: 2498 signal: 15
Signal object-server pid: 2499 signal: 15
proxy-server (2496) appears to have stopped
container-server (2497) appears to have stopped
account-server (2498) appears to have stopped
object-server (2499) appears to have stopped
Starting proxy-server.
Starting container-
Starting account-
Starting object-
# swauth-add-user test tester7 testing1 -K gswauthkey
Account creation failed: 401 Unauthorized
User creation failed: 401 Unauthorized: Invalid user/key provided
For 2:-
# swauth-add-user test tester5 testing -K 6964e49a50e1576
# cat /mnt/gluster-
{"groups": [{"name": "test:tester5"}, {"name": "test"}], "auth": "sha1:saltnpepp
# swauth-add-user test tester6 testing -K 6964e49a50e1576
# cat /mnt/gluster-
{"groups": [{"name": "test:tester6"}, {"name": "test"}], "auth": "sha1:saltnpepp
Add tags Tag
Blueprint information
- Status:
- Not started
- Approver:
- Luis Pabón
- Priority:
- Medium
- Drafter:
- pushpesh
- Direction:
- Approved
- Assignee:
- Thiago da Silva
- Definition:
- Approved
- Series goal:
- Accepted for icehouse
- Implementation:
-
Not started
- Milestone target:
- None
- Started by
- Completed by
