commit - a21c0e6acf9ee1b818150d2f5ce8a40fc861f20d
commit + 952d15827b9a299e6a13a8f0e3a0f3b0c36118cc
blob - /dev/null
blob + a91a7707d26d5dc2f80b01ca6577b3cdf3b72012 (mode 644)
--- /dev/null
+++ changelogs/unreleased/gh-8967-creds-consider-auth-type.md
+## feature/config
+
+* Now a password hash (and salt) will be regenerated for users managed
+ in the configuration file if `security.auth_type` differs from a user's
+ `auth_type` (gh-8967).
blob - 5723fea63e398a1f6ed425860ccbff004c04e0ff
blob + 6e088f412cb0ea517d855827e3159720111526c1
--- src/box/lua/config/applier/credentials.lua
+++ src/box/lua/config/applier/credentials.lua
end
local auth_type = auth_def['chap-sha1'] and 'chap-sha1' or 'pap-sha256'
+
+ local new_password = false
if auth_type == 'chap-sha1' then
local current_hash = auth_def['chap-sha1']
local new_hash = box.schema.user.password(password)
- if new_hash == current_hash then
- log.verbose('credentials.apply: a password is already set ' ..
- 'for user %q', user_name)
- else
- log.verbose('credentials.apply: set a password for user %q',
- user_name)
- box.schema.user.passwd(user_name, password)
+ if new_hash ~= current_hash then
+ new_password = true
end
else
assert(auth_def['pap-sha256'])
local new_hash = digest.sha256(current_salt .. password)
if new_hash == current_hash then
+ -- Note: passwd() generated new random salt, it will be different
+ -- from current_salt.
+ new_password = true
+ end
+ end
+
+ if not new_password then
+ -- Note that security.auth_type is applied by box_cfg applier.
+ -- It is executed before credentials applier, so the current
+ -- box.cfg.auth_type is already set.
+ if box.cfg.auth_type == auth_type then
log.verbose('credentials.apply: a password is already set ' ..
'for user %q', user_name)
else
- log.verbose('credentials.apply: set a password for user %q',
- user_name)
- -- Note: passwd() generated new random salt, it will be different
- -- from current_salt.
+ log.verbose('credentials.apply: a password for user %q has ' ..
+ 'different auth_type, resetting it', user_name)
box.schema.user.passwd(user_name, password)
end
+ else
+ log.verbose('credentials.apply: set a password for user %q',
+ user_name)
+ box.schema.user.passwd(user_name, password)
end
+
end
local function create_users(user_map)
blob - 5a91a0d2bff8b5d3a194b59557b21d9c51368ece
blob + e5e76322d1b3e83bbdcb0ca9b5003eca21919ad9
--- test/config-luatest/credentials_applier_test.lua
+++ test/config-luatest/credentials_applier_test.lua
end
})
end
+
+g.test_consider_auth_type_for_passwods = function(g)
+ t.tarantool.skip_if_not_enterprise()
+
+ helpers.reload_success_case(g, {
+ options = {
+ credentials = {
+ users = {
+ guest = {
+ roles = { 'super' }
+ },
+ myuser = {
+ password = 'secret',
+ },
+ },
+ },
+ security = {
+ auth_type = 'chap-sha1',
+ },
+ },
+ verify = function()
+ t.assert_equals(box.cfg.auth_type, 'chap-sha1')
+
+ local password_def = box.space._user.index.name:get({'myuser'})[5]
+ t.assert_equals(type(password_def['chap-sha1']), 'string')
+ end,
+ options_2 = {
+ credentials = {
+ users = {
+ guest = {
+ roles = { 'super' }
+ },
+ myuser = {
+ password = 'secret',
+ },
+ },
+ },
+ security = {
+ auth_type = 'pap-sha256',
+ },
+ },
+ verify_2 = function()
+ t.assert_equals(box.cfg.auth_type, 'pap-sha256')
+
+ local password_def = box.space._user.index.name:get({'myuser'})[5]
+ t.assert_equals(type(password_def['pap-sha256']), 'table')
+ end,
+ })
+end