Merge pull request #994 from sbesson/salt_dev44

Add documentation for salting in 4.4.12
ome · Sep 22, 2014 · b92c190 · b92c190
2 parents 678fa18 + 9a94d61
commit b92c190
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 7 deletions.
diff --git a/omero/developers/Server/PasswordProvider.txt b/omero/developers/Server/PasswordProvider.txt
@@ -8,7 +8,7 @@ Several implementations exist currently:
 
 -  :source:`ome.security.auth.JdbcPasswordProvider <components/server/src/ome/security/auth/JdbcPasswordProvider.java>`
    is the most common provider, and uses the "password" table for
-   storing MD5 encrypted passwords per user.
+   storing passwords hashed using MD5 and salt per user.
 -  :source:`ome.security.auth.FilePasswordProvider <components/server/src/ome/security/auth/FilePasswordProvider.java>`
    is rarely used, but in some scenarios may be useful since it permits
    setting usernames and passwords in a plain text file.
@@ -38,10 +38,10 @@ Things to keep in mind
    :source:`LoginAttemptMessage <components/server/src/ome/services/messages/LoginAttemptMessage.java>`
    so that any :doc:`/developers/Server/LoginAttemptListener`
    implementation can properly react to failed logins. Your
-   implementation should probably do the same
+   implementation should probably do the same.
 
 -  When dealing with chains of password providers, an implementation can
    safely return null from ``checkPassword`` to say "I don't know
    anything about this". This is only important if you configure your
    own chained password provider with your new implementation as one of
-   the elements..
+   the elements.
diff --git a/omero/sysadmins/server-ldap.txt b/omero/sysadmins/server-ldap.txt
@@ -270,6 +270,15 @@ command:
 When the LDAP password provider implementation changes, previous versions can
 be configured as necessary.
 
+chainedPasswordProviderNoSalt
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``chainedPasswordProviderNoSalt`` uses the version of the JDBC password
+provider without password salting support as available in the OMERO 4.4.x
+series. To enable it, use::
+
+    bin/omero config set omero.security.password_provider chainedPasswordProviderNoSalt
+
 chainedPasswordProvider431
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 

diff --git a/omero/sysadmins/server-upgrade.txt b/omero/sysadmins/server-upgrade.txt
@@ -34,6 +34,16 @@ below. Please refer to each section for additional details.
     :local:
     :depth: 1
 
+.. warning::
+	With 4.4.12, the default JDBC password provider has been modified to
+	add password salting support. This implies that once a server has been
+	upgraded and deployed, if passwords are modified, you will not be able
+	to easily revert to a configuration without salting. To keep using the
+	legacy password provider without salting support, you will need to
+	configure ``omero.security.password_provider`` to use the legacy
+	``chainedPasswordProviderNoSalt`` as described in the
+	:ref:`legacy_password_providers` section.
+
 .. warning:: The passwords and logins used here are examples. Please consult
     the :ref:`troubleshooting-password` section for explanation.  In particular,
     make sure to replace the values of **db_user** and **omero_database**
@@ -118,8 +128,8 @@ database which can both save disk space and speed up access times.
 
 .. parsed-literal::
 
-    $ psql -h localhost -U **db_user** **omero_database** -c "REINDEX DATABASE **omero_database** FORCE;"
-    $ psql -h localhost -U **db_user** **omero_database** -c "VACUUM FULL VERBOSE ANALYZE;"
+    $ psql -h localhost -U **db_user** **omero_database** -c 'REINDEX DATABASE "**omero_database**" FORCE;'
+    $ psql -h localhost -U **db_user** **omero_database** -c 'VACUUM FULL VERBOSE ANALYZE;'
 
 .. _upgrademergescript:
 
@@ -138,8 +148,8 @@ For further information on managing your scripts, refer to
 :doc:`installing-scripts`. If you require help, please contact the OME 
 developers.
 
-Update your environment variables
----------------------------------
+Update your configuration
+-------------------------
 
 Environment variables
 ^^^^^^^^^^^^^^^^^^^^^
@@ -149,6 +159,15 @@ make sure to update any system environment variables. Before restarting
 the server, make sure your PATH and PYTHONPATH system environment
 variables are pointing to the new locations.
 
+JVM memory settings
+^^^^^^^^^^^^^^^^^^^
+
+If you modified your memory settings, these changes will be lost and you will
+need to update the memory settings for the new server. Refer to the
+`JVM memory settings` sub-section of the OMERO.server installation section
+(:doc:`Unix <unix/server-installation>` or
+:doc:`Windows <windows/server-installation>`) for more information.
+
 Changes to OMERO.web URLs
 ^^^^^^^^^^^^^^^^^^^^^^^^^