Authentication
Enterprise Edition
Authentication features are supported by the Enterprise Edition only.
Tarantool Enterprise Edition provides the ability to apply additional restrictions for user authentication. For example, you can specify the minimum time between authentication attempts or turn off access for guest users.
In the configuration below, security.auth_retries is set to 2
,
which means that Tarantool lets a client try to authenticate with the same username three times.
At the fourth attempt, the authentication delay configured with security.auth_delay is enforced.
This means that a client should wait 10 seconds after the first failed attempt.
security:
auth_delay: 10
auth_retries: 2
disable_guest: true
The disable_guest option turns off access over remote connections from unauthenticated or guest users.
A password policy allows you to improve database security by enforcing the use of strong passwords, setting up a maximum password age, and so on. When you create a new user with box.schema.user.create or update the password of an existing user with box.schema.user.passwd, the password is checked against the configured password policy settings.
In the example below, the following options are specified:
- password_min_length specifies that a password should be at least 16 characters.
- password_enforce_lowercase and password_enforce_uppercase specify that a password should contain lowercase and uppercase letters.
- password_enforce_digits and password_enforce_specialchars specify that a password should contain digits and at least one special character.
- password_lifetime_days sets a maximum password age to 365 days.
- password_history_length specifies that a new password should differ from the last three passwords.
security:
password_min_length: 16
password_enforce_lowercase: true
password_enforce_uppercase: true
password_enforce_digits: true
password_enforce_specialchars: true
password_lifetime_days: 365
password_history_length: 3
By default, Tarantool uses the
CHAP
protocol to authenticate users and applies SHA-1
hashing to
passwords.
Note that CHAP stores password hashes in the _user
space unsalted.
If an attacker gains access to the database, they may crack a password, for example, using a rainbow table.
In the Enterprise Edition, you can enable
PAP authentication
with the SHA256
hashing algorithm.
For PAP, a password is salted with a user-unique salt before saving it in the database,
which keeps the database protected from cracking using a rainbow table.
To enable PAP, specify the security.auth_type option as follows:
security:
auth_type: 'pap-sha256'
For new users, the box.schema.user.create method generates authentication data using PAP-SHA256
.
For existing users, you need to reset a password using
box.schema.user.passwd
to use the new authentication protocol.
Warning
Given that PAP
transmits a password as plain text,
Tarantool requires configuring SSL/TLS
for a connection.
The example below shows how to specify the authentication protocol using the auth_type
parameter when connecting to an instance using net.box:
local connection = require('net.box').connect({
uri = 'admin:topsecret@127.0.0.1:3301',
params = { auth_type = 'pap-sha256',
transport = 'ssl',
ssl_cert_file = 'certs/server.crt',
ssl_key_file = 'certs/server.key' }
})
If the authentication protocol isn’t specified explicitly on the client side,
the client uses the protocol configured on the server via security.auth_type
.