security: allow automatic re-hashing from SCRAM to bcrypt #97429
Conversation
|
This change is |
rafiss
force-pushed
the
downgrade-to-bcrypt
branch
from
a55a1bb to
b0256b6
Compare
There was a problem hiding this comment.
Very nice.
LGTM modulo code organization.
Reviewed 10 of 10 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @rafiss)
-- commits line 4 at r1:
I'd recommend explaining the use case (why this is useful, when would a user want to use it etc) before the change.
-- commits line 5 at r1:
nit: add quotes around the setting names
pkg/security/password/password.go line 719 at r1 (raw file):
// - conversion enabled by cluster setting. // - the configured default method is scram-sha-256. if isBcrypt && autoUpgradePasswordHashes && PasswordHashMethod == HashSCRAMSHA256 {
This function is becoming large and hard to read/maintain. I'd recommend splitting it up.
pkg/security/password/password.go line 719 at r1 (raw file):
// - conversion enabled by cluster setting. // - the configured default method is scram-sha-256. if isBcrypt && autoUpgradePasswordHashes && PasswordHashMethod == HashSCRAMSHA256 {
The isBcrypt/isScram bools can be replaced by a type switch.
Release note (security update): Currently the process to change passwords from SCRAM hashing to bcrypt hashing is manual and can take a long time. An operator may wish to do this if their tools do not support SCRAM or if SCRAM is not desired for another reason. This change introduces the new cluster setting `server.user_login.downgrade_scram_stored_passwords_to_bcrypt.enabled`, which defaults to true. If it is true AND `server.user_login.password_encryption` is `crdb-bcrypt`, then during login, the stored hashed password will be converted from SCRAM to bcrypt.
rafiss
force-pushed
the
downgrade-to-bcrypt
branch
from
b0256b6 to
3d2491a
Compare
|
RFAL. For some reason, I can't reply to your comments inline (nor see them inline). I extracted some of the common logic, and adjusted the release note. I don't feel like a type switch improves readability, since we also need to check those other bools. |
There was a problem hiding this comment.
Reviewed 10 of 10 files at r1, 1 of 1 files at r2, all commit messages.
Reviewable status:
-- commits line 4 at r1:
I'd recommend explaining the use case (why this is useful, when would a user want to use it etc) before the change.
-- commits line 5 at r1:
nit: add quotes around the setting names
|
sorry i don't know why my comments were duplicated. please ignore |
|
tftr! flake in Extended CI was #96343 bors r=knz |
|
Build succeeded: |
|
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from 3d2491a to blathers/backport-release-22.2-97429: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 22.2.x failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
fixes #96408
Release note (security update): Currently the process to change
passwords from SCRAM hashing to bcrypt hashing is manual and can take a
long time. An operator may wish to do this if their tools do not support
SCRAM or if SCRAM is not desired for another reason.
This change introduces the new cluster setting
server.user_login.downgrade_scram_stored_passwords_to_bcrypt.enabled,which defaults to true. If it is true AND
server.user_login.password_encryptioniscrdb-bcrypt, then duringlogin, the stored hashed password will be converted from SCRAM to bcrypt.