Bug 1008971 - [PRD] [Doc Bug Fix] EAP62_1220 - Documentation for [RFE] Mechanism to cache passwords from external source for LdapExt login module
[PRD] [Doc Bug Fix] EAP62_1220 - Documentation for [RFE] Mechanism to cache p...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity urgent
: GA
: EAP 6.3.0
Assigned To: Russell Dickenson
Russell Dickenson
: Documentation, FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-17 08:23 EDT by Russell Dickenson
Modified: 2014-08-14 11:18 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-06 10:36:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Russell Dickenson 2013-09-17 08:23:37 EDT
"Due to performance issues we need to cache passwords obtained from external sources using {EXT} prefix in LdapExt login module" Note: This RFE is a clone of https://issues.jboss.org/browse/PRODMGT-319 under consideration for EAP 5.3. 
--[jira] https://issues.jboss.org/browse/PRODMGT-395
Comment 2 Scott Mumford 2014-05-28 21:16:49 EDT
This has been documented for the 5.x stream. Details in bug 1093209.
Comment 5 Josef Cacek 2014-06-13 10:39:12 EDT
The description should be moved out of the table to its own section. There are 2 main reasons:

1) The readability in table column is very bad.

2) This feature is not used only in LdapExtLoginModule, but in other parts of the PicketBox too:

$ grep -R 'Util.loadPassword' *
org/picketbox/datasource/security/PBEIdentityLoginModule.java:        this.pbepass = Util.loadPassword(tmp);
org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java:          bindCredential = new String(Util.loadPassword(bindCredential));
org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java:          this.bindCredential = new String(Util.loadPassword(this.bindCredential));
org/jboss/security/auth/spi/LdapUsersLoginModule.java:        this.bindCredential = new String(Util.loadPassword(this.bindCredential));
org/jboss/security/auth/spi/LdapExtLoginModule.java:      this.bindCredential = new String(Util.loadPassword(this.bindCredential));
org/jboss/security/auth/callback/LdapCallbackHandler.java:        bindCredential = new String(Util.loadPassword(bindCredential));
org/jboss/security/JBossJSSESecurityDomain.java:    this.keyStorePassword = Util.loadPassword(keyStorePassword);
org/jboss/security/JBossJSSESecurityDomain.java:    this.trustStorePassword = Util.loadPassword(trustStorePassword);
org/jboss/security/JBossJSSESecurityDomain.java:    this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
Comment 6 Nidhi 2014-06-19 13:57:14 EDT
Created new topic #38715. Updated content specs. Changes will be visible in the next build.
Comment 7 sgilda 2014-06-26 15:50:54 EDT
Hi Nidhi,

I found your new topic in the Security Guide here: http://docbuilder.usersys.redhat.com/22558/#Mechanism_to_Cache_Passwords_from_External_Source

I'm not sure it's ready for QA review. The first 2 sentences are not really complete sentences. 

For the first sentence, maybe this would be better?

    The <literal>bindCredential</literal> module option allows for caching of passwords from external sources.

I'm not sure I understand this sentence:  
    Password stored as plain text for the bindDN, or loaded externally using EXT command

Are you saying this? 

    Passwords are stored as plain text for the <literal>bindDN<literal> option or are loaded externally using the <literal>EXT</literal> command.

I am adding the preview URL so Josef can review this also since I am not familiar with the topic.

Preview URL for the new topic is here: 
    http://docbuilder.usersys.redhat.com/22558/#Mechanism_to_Cache_Passwords_from_External_Source
Comment 8 Russell Dickenson 2014-07-01 01:48:31 EDT
I have restructured this topic to aid clarity. I further need to add sub-titles per sub-section.

Topic: "bindCredential Module Option [38715]"
Comment 9 Russell Dickenson 2014-07-01 22:39:03 EDT
I have further restructured and reworded the content to improve on its clarity. When it is available on the docs-devel site I will move this ticket to ON_QA.

Topic: bindCredential Module Option [38715]
Comment 10 Russell Dickenson 2014-07-02 03:01:55 EDT
The amended text is available in revision 6.3.0-29 (or later) of the Security Guide at [1].

As per comment 5 from Josef, this content has been moved out of a tabular format. I have done my best to explain the several methods available for the bindCredential module, including how to have passwords obtained from an external source cached.


[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Mechanism_to_Cache_Passwords_from_External_Source
Comment 11 FIlip Bogyai 2014-07-03 03:19:22 EDT
There are some minor issue, which should be fixed:

1) It is good that the long description was moved out of table, but it is needed to keep this module option in LdapExtended table. I suggest to put the reference(link) to this new section into table in description of this module option, so that users can found information easily.


2) In first sentence:
Add that bindCredential can be used also by several mapping modules.


3) In option "Use an external command": 
{EXTC[:expiration_in_millis]} variant is supported only by LdapExtended login module, this should be mentioned.

Add that if the "expiration_in_millis" is set to 0 it doesn't expire. (same as default)


4) Remove option "Use a specified class", because this is not supported in configuration settings of EAP. 


5) In Example 15.19. Obtain a password from an external file and cache it for 500 milliseconds:
There should not be "[]" brackets. The example should look like this:

{EXTC:500}cat /mysecretpasswordfile
Comment 12 Russell Dickenson 2014-07-03 20:12:11 EDT
I have made all the changes requested in comment 11. When this guide is rebuilt I will put this ticket to ON_QA status.

Note to Docs:
bindCredential Module Option [38715]

Note to QE:

A visual diff of the changes made is available at [1]. Otherwise the details of the changes made are as follows:

* Added mention in the first paragraph that bindCredential can be used also by several mapping modules.
* Added note that the 'EXTC' variant is supported only by LdapExtended login module.
* Added mention that if the "expiration_in_millis" is set to 0 it doesn't expire.
* Removed option "Use a specified class".
* In example "Obtain a password from an external file and cache it for 500 milliseconds", removed the square brackets.


[1] http://virt-ecs-01.lab.eng.bne.redhat.com:8080/pressgang-ccms-ui-next/#TopicHistoryView;38715;680750;681306
Comment 13 David Michael 2014-07-04 01:12:13 EDT
I have made all the changes requested in comment 11. When this guide is rebuilt I will put this ticket to ON_QA status.

Note to Docs:
bindCredential Module Option [38715]

Note to QE:

A visual diff of the changes made is available at [1]. Otherwise the details of the changes made are as follows:

* Added mention in the first paragraph that bindCredential can be used also by several mapping modules.
* Added note that the 'EXTC' variant is supported only by LdapExtended login module.
* Added mention that if the "expiration_in_millis" is set to 0 it doesn't expire.
* Removed option "Use a specified class".
* In example "Obtain a password from an external file and cache it for 500 milliseconds", removed the square brackets.

[1] http://virt-ecs-01.lab.eng.bne.redhat.com:8080/pressgang-ccms-ui-next/#TopicHistoryView;38715;680750;681306

LINK:
http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Mechanism_to_Cache_Passwords_from_External_Source
Comment 14 FIlip Bogyai 2014-07-08 03:46:23 EDT
Verified in Revision 6.3.0-32

Note You need to log in before you can comment on or make changes to this bug.