-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for PBKDF2 for password hashing & add support for configuring BCrypt and PBKDF2 #4524
Add support for PBKDF2 for password hashing & add support for configuring BCrypt and PBKDF2 #4524
Conversation
…and verification This change introduces support for PBKDF2 as an alternative password hashing algorithm to BCrypt. Furthermore, it adds support for configuring the parameters of BCrypt (rounds, minor) & PBKDF2 (iterations, length, function). Signed-off-by: Dan Cecoi <[email protected]>
… fix for integration tests failures Signed-off-by: Dan Cecoi <[email protected]>
Signed-off-by: Dan Cecoi <[email protected]>
…recommendations; refactored hash.sh help messages; modified an exception message Signed-off-by: Dan Cecoi <[email protected]>
Signed-off-by: Dan Cecoi <[email protected]>
Signed-off-by: Dan Cecoi <[email protected]>
…e Hasher script Signed-off-by: Dan Cecoi <[email protected]>
Tests are failing due to the switch to JDK21 and SecurityManager no longer being supported. I can try and add the @SuppressWarnings("removal") annotation but any advice on how to proceed will be appreciated! Edit: added the SupressWarnings annotation. |
…is used to fix compile errors with JDK21 Signed-off-by: Dan Cecoi <[email protected]>
@dancristiancecoi some quick comments from the PR description. I think it would be helpful to expand on the help text for the hashing script to make it read more like a Without passing any params will it default to the same BCrypt hash as it does today? For the default values I think we should include those in the help text of the hash script as well. For any option with multiple choices (like |
src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java
Show resolved
Hide resolved
src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java
Show resolved
Hide resolved
Good points! I will document the default values in the Hasher script. The script is backwards compatible, so if a user doesnt pass any algorithm related parameters it will default to the same BCrypt hash configuration |
Took a first pass and left a few comments. I'm curious to see the test coverage report when all CI checks pass. Thank you for adding extensive tests to accompany this change! One thought crossed my mind while reviewing the code as well, I think it would be useful in a follow-up change to add an option to the |
Signed-off-by: Dan Cecoi <[email protected]>
1/ because PBKDF2 consumes higher CPU cycles (depending on iterations, which i see here is already very high) -- can a bad actor effect Opensearch cluster health by repeated password attempts? 2/ Have we benchmarked how many cpu cycles are consumed and if this will work with single core cloud instances? |
|
src/main/java/org/opensearch/security/hasher/PasswordHasherFactory.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/support/ConfigConstants.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/hasher/PasswordHasherFactory.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
Show resolved
Hide resolved
src/test/java/org/opensearch/security/hasher/BCryptPasswordHasherTests.java
Show resolved
Hide resolved
src/test/java/org/opensearch/security/hasher/PBKDF2PasswordHasherTests.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dancristiancecoi for the PR. left a few comments.
thanks a lot for the in-depth review!! |
- Added help option and improved the hash.sh help message - Added java docs to PasswordHasher & AbstractPasswordHasher - Changed the default PBKDF2 length from 512 to 256 - Improved the validation exception messages - Moved null check logic to AbstractPasswordHasher Signed-off-by: Dan Cecoi <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4524 +/- ##
==========================================
+ Coverage 64.95% 65.28% +0.33%
==========================================
Files 313 317 +4
Lines 22064 22273 +209
Branches 3562 3582 +20
==========================================
+ Hits 14331 14541 +210
+ Misses 5952 5940 -12
- Partials 1781 1792 +11
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dancristiancecoi The changes look good to me. Can you also create a PR on the documentation-website to add documentation about the settings being introduced?
Thank you! I've created it here: opensearch-project/documentation-website#7669 |
LGTM. thanks for taking care of the comments. |
src/integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/hasher/AbstractPasswordHasher.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/hasher/PasswordHasherFactory.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/dlic/rest/api/InternalUsersApiActionValidationTest.java
Show resolved
Hide resolved
- removed unnecessary instantiation of PasswordHasher in tests - improved the exception message when password hashing alg is not supported Signed-off-by: Dan Cecoi <[email protected]>
Any suggestions on where to document these new settings? One option is to document them in Configuring OpenSearch -> Security Settings > Expert-level settings We could also add a new chapter under Password settings in Security in OpenSearch -> Configuration -> Modifying the YAML files Which option is the most suitable one if at all? |
IMO we should add it under Configuring OpenSearch -> Security Settings > Expert-level settings since it lists all available security settings and also highlights that this is an expert-level setting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dancristiancecoi for this contribution!
…ring BCrypt and PBKDF2 (#4524) Signed-off-by: Dan Cecoi <[email protected]> Co-authored-by: Dan Cecoi <[email protected]> (cherry picked from commit 8d29b11) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Thanks a lot for the reviews everyone! |
Description
This change adds support for PBKDF2 as an alternative, FIPS compliant, password hashing algorithm.
Furthermore, it adds support for configuring the following parameters for these hashing algorithms:
BCrypt:
PBKDF2:
Additionally, the hash.sh script has been modified to support the new algorithm and configuration.
install_demo_configuration.sh was left unchanged and currently only creates demo configurations with BCrypt hashes.
Issues Resolved
#4590
Related issues:
#4381
#3420
Testing
Added unit tests, integration tests and done manual tests.
Deploy without any hashing configuration specified:
Deploy with PBKDF2:
opensearch.yml config:
internal_users.yml config:
Testing:
Documentation
This requires changes to the OpenSearch documentation.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.