messaging-topology-operator icon indicating copy to clipboard operation
messaging-topology-operator copied to clipboard

Published 20 hours ago verified publisher icon rabbitmq

Support PasswordHash in User type

Open NikSays opened this issue 1 year ago • 6 comments

This closes #865, #866

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed Note to contributors: remember to re-generate client set if there are any API changes

Summary Of Changes

The Secret specified in User's ImportCredentialsSecret may contain the passwordHash field. If the field is absent, the behavior is unchanged: the plain-text password is generated if necessary and stored in the credentials Secret.

If the passwordHash field is present, then password field is ignored and the resulting credentials Secret will contain only the hash. This is done to prevent ambiguous situations where the hash doesn't correspond to the password. It also prevents the plain-text password being accidentally used over the hash.

If the hash is an empty string, a passwordless user is created.

Additional Context

Currently the hash must be generated with the SHA512 algorithm. A way to specify another hashing algorithm needs to be added. I will add it as another field in the secret, but I'm concerned the documentation for importCredentialsSecret will become too complicated.

Todo

  • [ ] ~Specify hashing algorithm~
  • [x] Add examples
  • [x] Update documentation

NikSays avatar Sep 14 '24 21:09 NikSays