Skip to content

sql: pull password hashing back to the sql package#51501

Merged
craig[bot] merged 1 commit intocockroachdb:masterfrom
knz:20200716-pwd-length
Jul 17, 2020
Merged

sql: pull password hashing back to the sql package#51501
craig[bot] merged 1 commit intocockroachdb:masterfrom
knz:20200716-pwd-length

Conversation

@knz
Copy link
Copy Markdown
Contributor

@knz knz commented Jul 16, 2020

This also removes some obsolete code, and ensures that the username
validity check is performed before the password validity check.

Release note: None

@knz knz requested a review from RichardJCai July 16, 2020 11:09
@cockroach-teamcity
Copy link
Copy Markdown
Member

cockroach-teamcity commented Jul 16, 2020

This change is Reviewable

@knz knz mentioned this pull request Jul 16, 2020
Merged
RichardJCai
RichardJCai reviewed Jul 16, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@RichardJCai RichardJCai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @knz and @RichardJCai)

pkg/sql/alter_role.go, line 148 at r1 (raw file):

		}

		if hashedPassword == nil {

Nit: Does this logic for setting hashedPassword to an empty byte array make sense to move into checkPasswordAndGetHash? We can avoid duplication by doing so.

@knz
sql: pull password hashing back to the sql package
b27c698 
This also removes some obsolete code, and ensures that the username
validity check is performed before the password validity check.

Release note: None
knz
knz commented Jul 17, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @RichardJCai)

pkg/sql/alter_role.go, line 148 at r1 (raw file):

Previously, RichardJCai (Richard Cai) wrote…

Nit: Does this logic for setting hashedPassword to an empty byte array make sense to move into checkPasswordAndGetHash? We can avoid duplication by doing so.

Good idea! Done.

@knz knz force-pushed the 20200716-pwd-length branch from a920adf to b27c698 Compare July 17, 2020 07:42
@knz
Copy link
Copy Markdown
Contributor Author

knz commented Jul 17, 2020

the CI is flaking on #51543

craig bot pushed a commit that referenced this pull request Jul 17, 2020
@knz
Merge #51502 #51542
5149293 
51502: security,sql: add a setting to constrain the minimum password length r=RichardJCai a=knz

Requested by @bdarnell.

First commit from #51501.

This change adds a new cluster setting
`server.user_login.min_password_length`. When set and non-zero, it
forces a minimum password length to passwords passed in cleartext to
the SQL `WITH PASSWORD` clause (`CREATE/ALTER USER/ROLE`).

This change is part of a larger set of security measures to help
the secure deployment of Cockroach Cloud. We are not yet planning
to advertise this to on-prem users until the feature matures and
is complemented by additional enhancements to password authentication.

cc @solongordon @thtruo @aaron-crl for visibility.

51542: cli: temporarily skip TestPartialZip and CDC tests r=tbg a=knz

Due to #51538

Release note: None

Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
@craig craig bot merged commit b27c698 into cockroachdb:master Jul 17, 2020
@knz knz deleted the 20200716-pwd-length branch July 17, 2020 11:09
RichardJCai
RichardJCai reviewed Jul 17, 2020
View reviewed changes
pkg/sql/create_role.go
hashedPassword = []byte{}
}

return
Copy link
Copy Markdown
Contributor

@RichardJCai RichardJCai Jul 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait shouldn't this return hashedPassword or a return inside the if statement?

Copy link
Copy Markdown
Contributor Author

@knz knz Jul 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand your question. Can you rephrase?

Copy link
Copy Markdown
Contributor

@RichardJCai RichardJCai Jul 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah nvm I see that the return values are named, ignore my comment.

Not a huge fan of named return values with an empty return statement though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@RichardJCai RichardJCai RichardJCai left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@knz @cockroach-teamcity @RichardJCai @lunevalex