Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql: pull password hashing back to the sql package #51501

Merged
merged 1 commit into from
Jul 17, 2020
Merged

sql: pull password hashing back to the sql package #51501

merged 1 commit into from
Jul 17, 2020

Conversation

knz
Copy link
Contributor

@knz knz commented Jul 16, 2020

This also removes some obsolete code, and ensures that the username
validity check is performed before the password validity check.

Release note: None

@knz knz requested a review from RichardJCai July 16, 2020 11:09
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz knz added this to In progress in KV 20.2 via automation Jul 16, 2020
@knz knz added this to In progress in DB Server & Security via automation Jul 16, 2020
@knz knz mentioned this pull request Jul 16, 2020
Merged
RichardJCai
RichardJCai reviewed Jul 16, 2020
View reviewed changes
Copy link
Contributor

@RichardJCai RichardJCai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @knz and @RichardJCai)

pkg/sql/alter_role.go, line 148 at r1 (raw file):

		}

		if hashedPassword == nil {

Nit: Does this logic for setting hashedPassword to an empty byte array make sense to move into checkPasswordAndGetHash? We can avoid duplication by doing so.

@knz
sql: pull password hashing back to the sql package
b27c698 
This also removes some obsolete code, and ensures that the username
validity check is performed before the password validity check.

Release note: None
knz
knz commented Jul 17, 2020
View reviewed changes
Copy link
Contributor Author

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @RichardJCai)

pkg/sql/alter_role.go, line 148 at r1 (raw file):

Previously, RichardJCai (Richard Cai) wrote…

Nit: Does this logic for setting hashedPassword to an empty byte array make sense to move into checkPasswordAndGetHash? We can avoid duplication by doing so.

Good idea! Done.

@knz
Copy link
Contributor Author

knz commented Jul 17, 2020

the CI is flaking on #51543

craig bot pushed a commit that referenced this pull request Jul 17, 2020
@knz
Merge #51502 #51542
5149293 
51502: security,sql: add a setting to constrain the minimum password length r=RichardJCai a=knz

Requested by @bdarnell.

First commit from #51501.

This change adds a new cluster setting
`server.user_login.min_password_length`. When set and non-zero, it
forces a minimum password length to passwords passed in cleartext to
the SQL `WITH PASSWORD` clause (`CREATE/ALTER USER/ROLE`).

This change is part of a larger set of security measures to help
the secure deployment of Cockroach Cloud. We are not yet planning
to advertise this to on-prem users until the feature matures and
is complemented by additional enhancements to password authentication.

cc @solongordon @thtruo @aaron-crl for visibility.

51542: cli: temporarily skip TestPartialZip and CDC tests r=tbg a=knz

Due to #51538

Release note: None

Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
@craig craig bot merged commit b27c698 into cockroachdb:master Jul 17, 2020
DB Server & Security automation moved this from In progress to Done 20.2 Jul 17, 2020
KV 20.2 automation moved this from In progress to Done Jul 17, 2020
@knz knz deleted the 20200716-pwd-length branch July 17, 2020 11:09
RichardJCai
RichardJCai reviewed Jul 17, 2020
View reviewed changes
pkg/sql/create_role.go
hashedPassword = []byte{}
}

return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait shouldn't this return hashedPassword or a return inside the if statement?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand your question. Can you rephrase?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah nvm I see that the return values are named, ignore my comment.

Not a huge fan of named return values with an empty return statement though.

@lunevalex lunevalex removed this from Done in KV 20.2 Jul 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RichardJCai RichardJCai RichardJCai left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@knz @cockroach-teamcity @RichardJCai