Authentication
Tarantool Enterprise Edition provides the ability to apply additional restrictions for user authentication. For example, you can specify the minimum time between authentication attempts or turn off access for guest users.
In the configuration below,
security.auth_retries
is set to 2, which means that Tarantool lets a client try to
authenticate with the same username three times. At the fourth attempt,
the authentication delay configured with
security.auth_delay is
enforced. This means that a client should wait 10 seconds after the
first failed attempt.
security:auth_delay: 10auth_retries: 2disable_guest: true
The disable_guest option turns off access over remote connections from unauthenticated or guest users.
A password policy allows you to improve database security by enforcing the use of strong passwords, setting up a maximum password age, and so on. When you create a new user with box.schema.user.create or update the password of an existing user with box.schema.user.passwd, the password is checked against the configured password policy settings.
In the example below, the following options are specified:
- password_min_length specifies that a password should be at least 16 characters.
- password_enforce_lowercase and password_enforce_uppercase specify that a password should contain lowercase and uppercase letters.
- password_enforce_digits and password_enforce_specialchars specify that a password should contain digits and at least one special character.
- password_lifetime_days sets a maximum password age to 365 days.
- password_history_length specifies that a new password should differ from the last three passwords.
security:password_min_length: 16password_enforce_lowercase: truepassword_enforce_uppercase: truepassword_enforce_digits: truepassword_enforce_specialchars: truepassword_lifetime_days: 365password_history_length: 3
By default, Tarantool uses the
CHAP
protocol to authenticate users and applies SHA-1 hashing to
passwords. Note that CHAP stores password
hashes in the _user space unsalted. If an attacker gains access to the
database, they may crack a password, for example, using a rainbow
table.
In the Enterprise Edition, you can enable
PAP
authentication with the SHA256 hashing algorithm. For PAP, a password
is salted with a user-unique salt before saving it in the database,
which keeps the database protected from cracking using a rainbow table.
To enable PAP, specify the security.auth_type option as follows:
security:auth_type: 'pap-sha256'
For new users, the
box.schema.user.create method generates authentication data using PAP-SHA256. For
existing users, you need to reset a password using
box.schema.user.passwd to use the new authentication protocol.
The example below shows how to specify the authentication protocol using
the auth_type parameter when connecting to an instance using
net.box:
local connection = require('net.box').connect({uri = 'admin:topsecret@127.0.0.1:3301',params = { auth_type = 'pap-sha256',transport = 'ssl',ssl_cert_file = 'certs/server.crt',ssl_key_file = 'certs/server.key' }})
If the authentication protocol isn't specified explicitly on the client
side, the client uses the protocol configured on the server via
security.auth_type.