[kapua-dev] Auto account creation - password creation strategies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[kapua-dev] Auto account creation - password creation strategies

From: Jens Reimann <jreimann@xxxxxxxxxx>
Date: Mon, 17 Jul 2017 14:22:14 +0200
Delivered-to: kapua-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/kapua-dev>
List-help: <mailto:kapua-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/kapua-dev>, <mailto:kapua-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/kapua-dev>, <mailto:kapua-dev-request@eclipse.org?subject=unsubscribe>

Hi,

as mentioned in today's call we still need to agree on a way to how to find a suitable initial password for the sandbox server environment.

Just for the context: We are looking for a SSO integration on the upcoming sandbox server, so that people can simple register a new account in Kapua, with their existing Eclipse Account (or GitHub account) and then get their account auto-provisioned on the sandbox server.

Now that functionality is ready, however Kapua currently suggests to create two account, one for the user and one for the gateway. Which also would be a good choice for the sandbox server. The user doesn't need any password as it will be authenticated by the SSO solution. The gateway however requires a password in order to connect to the broker. In any case it is "only" a sandbox server and we will be resetting the accounts (or even the whole server) frequently.

There would be a few simple solutions, but as always there a pros and cons:

1) Set a default initial password to "<username>-password". As there is currently no way for others to find out which accounts/users exists, aside from the user itself, it should at least not be too easy to guess. The user show however still change that password. This is the currently implemented solution. We only need some place to point out to people that they should change their password.

2) Don't assign any password. By default this would lock out the gateway user. Not allowing any connectivity unless the user assigns a password to the gateway user.

3) Require the user to enter the password

4) Generate a random password and send it to the user via e-mail

5) Provide some sort of "How to connect page" for the gateway account, showing the stored password.

Now 3) and 4) sound most appealing to me, but currently there is no infrastructure for implementing this. 5) would require us to store the password plaintext, which isn't such a good idea and currently is unsupported by Kapua anyway, as passwords are stored salted and hashed. So I would suggest to go with 1) as a start.

Cheers

Jens

Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill

Prev by Date: Re: [kapua-dev] POM developer section
Next by Date: [kapua-dev] Accessing the broker topics using wildcard
Previous by thread: [kapua-dev] POM developer section
Next by thread: [kapua-dev] Accessing the broker topics using wildcard
Index(es):
- Date
- Thread

Breadcrumbs