[feature request] Allow "SHOW USERS" to display the hash password

influxdata / influxdb

Scalable datastore for metrics, events, and real-time analytics

https://influxdata.com

Apache License 2.0

28.75k stars 3.54k forks source link

[feature request] Allow "SHOW USERS" to display the hash password #4904

Open descrepes opened 8 years ago

descrepes commented 8 years ago

Hi,

Displaying the hash password of users with the "SHOW USERS" could be very usefull :)

Regards

otoolep commented 8 years ago

You're kidding, right? :-) This feature could be a considered a serious security issue.

Can you provide a rationale? otherwise we will close this.

descrepes commented 8 years ago

Just as the mysql show grants or select password from mysql.user\G do. It returns the hash password of the user. Not the password itself.

The main reason is that i'm writing a puppet resource for influxdb. The user have 2 properties that can be updated. Password and admin (grant should be another type/provider).

The idea is to declare an influxdb user like so:

influxdb_user { 'foo':
  ensure      => present,
  isadmin    => false,
  password => $foo_pass
}

$foo_pass is a puppet variable encrypted in hiera eyaml.

While puppet is prefetching, it list all the users and fetch all attributes of each user. During this prefetch, if we want puppet to be able to update the password (and not set it during each puppet run), we need to compare it. The idea is to compare the hash of the password provided in the declared resource to the hash password retrieve by the SHOW USERS (for example).

Regards

otoolep commented 8 years ago

I didn't know MySQL exposed that information -- I did realise you were talking about the hash, but hashes can be cracked, so exposing them unnecessarily is always something to avoid.

We would need to make sure only the admin could do this, if we decide to support it.

descrepes commented 8 years ago

Yes, only hashes. And of course only admin authenticated users should be allowed to retrieve that information :)

dmke commented 8 years ago

I've ran into the same issue while building an Ansible module.

Currently, I can't determine whether the user's state has changed (and act upon those changes further down the provisioning road), because I cannot compare the password hash before and after SET PASSWORD execution...

As a workaround, I am connecting with the given credentials and query something [1]. If the connection errors with "authentication failure", then the password needs to be updated. This feels hackish.

Footnote 1. This is a bit tricky, as all SHOW statements will error out with "requires admin privileges" (if the given user is not an admin). There is also no such thing like a SELECT 1 statement, as it needs a FROM clause which in turn needs a database name (which usually isn't available in this state in the provisioning process).

jkramarz commented 6 years ago

@dmke, at last using Python bindings, there's SELECT 1 equivalent:

>>> client.switch_user('admin', 'admin')
>>> client.query(";")
[]
>>> client.switch_user('invalid', 'invalid')
>>> client.query(";")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/influxdb/client.py", line 394, in query
    expected_response_code=expected_response_code
  File "/usr/lib/python2.7/site-packages/influxdb/client.py", line 271, in request
    raise InfluxDBClientError(response.content, response.status_code)
influxdb.exceptions.InfluxDBClientError: 401: {"error":"authorization failed"}