Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation for salting in 4.4.12 #994

Merged
merged 8 commits into from
Sep 22, 2014
Merged

Add documentation for salting in 4.4.12 #994

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b1027a0
Add section about JCM memory settings
sbesson Dec 5, 2013
ca396bb
Add documentation for password provider changes to support salting
sbesson Dec 6, 2013
57501ea
Rewrite optimization lines to include quotes as tested in the job
sbesson Dec 6, 2013
2d7b988
Try to improve the sentence about reverting salting
sbesson Dec 6, 2013
f697d2d
Minor fixes to the server upgrade page
sbesson Dec 9, 2013
0a926ea
Fix dot in password provider page
sbesson Dec 9, 2013
06ab9cd
Add note to What's new page about password salting
sbesson Dec 11, 2013
9a94d61
Fix salting version introduction
sbesson Sep 19, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 3 additions & 3 deletions omero/developers/Server/PasswordProvider.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Several implementations exist currently:

- :source:`ome.security.auth.JdbcPasswordProvider <components/server/src/ome/security/auth/JdbcPasswordProvider.java>`
is the most common provider, and uses the "password" table for
storing MD5 encrypted passwords per user.
storing passwords hashed using MD5 and salt per user.
- :source:`ome.security.auth.FilePasswordProvider <components/server/src/ome/security/auth/FilePasswordProvider.java>`
is rarely used, but in some scenarios may be useful since it permits
setting usernames and passwords in a plain text file.
Expand Down Expand Up @@ -38,10 +38,10 @@ Things to keep in mind
:source:`LoginAttemptMessage <components/server/src/ome/services/messages/LoginAttemptMessage.java>`
so that any :doc:`/developers/Server/LoginAttemptListener`
implementation can properly react to failed logins. Your
implementation should probably do the same
implementation should probably do the same.

- When dealing with chains of password providers, an implementation can
safely return null from ``checkPassword`` to say "I don't know
anything about this". This is only important if you configure your
own chained password provider with your new implementation as one of
the elements..
the elements.
9 changes: 9 additions & 0 deletions omero/sysadmins/server-ldap.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,15 @@ command:
When the LDAP password provider implementation changes, previous versions can
be configured as necessary.

chainedPasswordProviderNoSalt
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The ``chainedPasswordProviderNoSalt`` uses the version of the JDBC password
provider without password salting support as available in the OMERO 4.4.x
series. To enable it, use::

bin/omero config set omero.security.password_provider chainedPasswordProviderNoSalt

chainedPasswordProvider431
^^^^^^^^^^^^^^^^^^^^^^^^^^

Expand Down
27 changes: 23 additions & 4 deletions omero/sysadmins/server-upgrade.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,16 @@ below. Please refer to each section for additional details.
:local:
:depth: 1

.. warning::
With 4.4.12, the default JDBC password provider has been modified to
add password salting support. This implies that once a server has been
upgraded and deployed, if passwords are modified, you will not be able
to easily revert to a configuration without salting. To keep using the
legacy password provider without salting support, you will need to
configure ``omero.security.password_provider`` to use the legacy
``chainedPasswordProviderNoSalt`` as described in the
:ref:`legacy_password_providers` section.

.. warning:: The passwords and logins used here are examples. Please consult
the :ref:`troubleshooting-password` section for explanation. In particular,
make sure to replace the values of **db_user** and **omero_database**
Expand Down Expand Up @@ -118,8 +128,8 @@ database which can both save disk space and speed up access times.

.. parsed-literal::

$ psql -h localhost -U **db_user** **omero_database** -c "REINDEX DATABASE **omero_database** FORCE;"
$ psql -h localhost -U **db_user** **omero_database** -c "VACUUM FULL VERBOSE ANALYZE;"
$ psql -h localhost -U **db_user** **omero_database** -c 'REINDEX DATABASE "**omero_database**" FORCE;'
$ psql -h localhost -U **db_user** **omero_database** -c 'VACUUM FULL VERBOSE ANALYZE;'

.. _upgrademergescript:

Expand All @@ -138,8 +148,8 @@ For further information on managing your scripts, refer to
:doc:`installing-scripts`. If you require help, please contact the OME
developers.

Update your environment variables
---------------------------------
Update your configuration
-------------------------

Environment variables
^^^^^^^^^^^^^^^^^^^^^
Expand All @@ -149,6 +159,15 @@ make sure to update any system environment variables. Before restarting
the server, make sure your PATH and PYTHONPATH system environment
variables are pointing to the new locations.

JVM memory settings
^^^^^^^^^^^^^^^^^^^

If you modified your memory settings, these changes will be lost and you will
need to update the memory settings for the new server. Refer to the
`JVM memory settings` sub-section of the OMERO.server installation section
(:doc:`Unix <unix/server-installation>` or
:doc:`Windows <windows/server-installation>`) for more information.

Changes to OMERO.web URLs
^^^^^^^^^^^^^^^^^^^^^^^^^

Expand Down