Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support password_hash in Put User API #34729

Closed
tvernum opened this issue Oct 23, 2018 · 2 comments
Closed

Support password_hash in Put User API #34729

tvernum opened this issue Oct 23, 2018 · 2 comments
Assignees
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@tvernum
Copy link
Contributor

tvernum commented Oct 23, 2018

The Put User API currently accepts a password_hash as an alternative to password, when creating or updating a user.

We don't document this, nor do we validate that the hash being stored is supported by the cluster.

We should:

  • Add validation in the Put User action that the incoming hash is one we understand (and not NOOP). See Hasher.resolveFromHash
  • Add tests for this
  • Add it to the API documentation

The use cases for using hashed passwords in the API are:

  • replicating users (and passwords) from other stores (or other clusters) that support compatible hashing schemes.
  • improved security in automation tools (e.g. ansible) - the automation scripts can store a hashed password rather than a clear text one
  • extreme end-to-end security in user setup (ES never sees the clear text password)
  • efficiency in bulk user setup. Password hashing is one of the slowest parts of user creation. This can offload that work to the client.
@tvernum tvernum added >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Oct 23, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@tvernum
Copy link
Contributor Author

tvernum commented Nov 28, 2018

Resolved in: #35242, #35574, #35844

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Development

No branches or pull requests

2 participants