Files
greptimedb/config
dennis zhuang ab552e24b5 feat(security): add password verifier formats (#8251)
* feat: add password verifier formats

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>

* fix: harden password verifier parsing and auth config errors

- Reject pbkdf2_sha256 verifiers whose hash is not 32 bytes and bound the
  salt length, preventing short-hash verifiers from matching on a prefix.
- Verify pbkdf2_sha256 with a stack-allocated buffer.
- Report only the length, not the bytes, when a mysql native password
  verifier has an illegal length.
- Map empty frontend_auth credentials to an invalid-config error instead
  of an internal error.

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>

* chore: update config.md

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>

* fix: skip non-plain verifiers in get_one_user_pwd

Pick the first plain-text credential instead of failing when the first
user happens to hold a hashed verifier.

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>

* fix: format

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>

* chore: remove unused get_one_user_pwd

Internal flownode-to-frontend communication no longer authenticates
(see #8244), so the plain-text credential export path is dead code.
Drop get_one_user_pwd, its now-orphan as_plain_text helper, and the
related tests.

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>

---------

Signed-off-by: Dennis Zhuang <killme2008@gmail.com>
2026-06-12 01:23:44 +00:00
..