Password Authentication (Built-In)
Posit Connect provides a simple Password Authentication provider which is usable without external integration. It uses user accounts backed by the Posit Connect database and is not integrated with any external, third-party authentication services. It is the only authentication provider which allows users to change their passwords from within Posit Connect.
Using Password Authentication makes it easy to get Posit Connect up and running quickly but is really only appropriate when using Posit Connect in one of these situations:
- A demonstration or proof-of-concept in which Posit Connect is being evaluated or explored.
- Training users to use Posit Connect.
- Using Posit Connect to do small-scale testing.
- A small group of users without, or isolated from, a centralized IT system.
For most customers, use of the Password Authentication provider is not recommended. Integrating with your organization’s existing authentication provider is recommended.
Configuration Example
The Password configuration appendix contains information about each Password configuration setting.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Authentication]
Provider = "password"
[Password]
; MinimumScore = 0
; SelfRegistration = true
; WebSudoMode = true
; WebSudoModeDuration = 5m
User Provisioning
Users can be created by an administrator, or can register themselves through the Posit Connect dashboard. The Posit Connect Server API can also be used to create users ahead of their first login.
Users created by an administrator or via the Posit Connect Server API without a password will receive an email confirmation which should be used to configure a password.
Existing user accounts can reset their passwords through the Posit Connect login page, or an Posit Connect administrator can make this request from the user’s profile.
Self Registration
When using Password Authentication, users can self-register by clicking the “Sign Up” button on the login page. Self-registered accounts will be created with the role specified in the Authorization.DefaultUserRole
setting (see User Roles).
Disabling Self Registration
If you wish to disable self-registration, set the configuration setting Password.SelfRegistration
to false
.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Password]
SelfRegistration = false
This setting takes effect only after the first account has been created (administrator account). Subsequent accounts must then be created by the administrator.
Support for Administrators
Administrators can create accounts directly in the Posit Connect dashboard. Similar to when users sign up for a new account, a confirmation email will be sent to the user.
In the case the user does not receive the confirmation email, the administrator can visit the user profile page under the “People” tab and resend this email. For existing users, the administrator can also send a password reset email from the same location.
Without Email Sending
Password Authentication works with limited convenience without email settings. See Email Sending.
Using Password Authentication without configuring email sending imposes limited functionality and reduced security.
For account confirmations and password resets, the administrator will be required to play the role of an intermediary.
When a new account has been created, an administrator needs to visit the user profile page under the “People” tab and copy the user’s “Account Confirmation Link”.
When an existing user needs their password to be reset, the user should ask the administrator for a password reset link. As with the above, the “Reset Password Link” can be obtained from the user profile page under the “People” tab.
The administrator must not visit the obtained link. The copied link should be passed to the user so they may complete the respective action.
Group Membership Management
Posit Connect allows the organization of users into local groups. Administrators can manage local groups within the “People” tab in the Posit Connect dashboard or via the Posit Connect Server API.
Security Considerations
Password Authentication follows proper security policies but there are limitations to be aware of.
Acceptable Usernames
Usernames must be unique and adhere to the following:
- Be 3-64 characters in length
- Start with a letter
- Contain only alphanumeric characters, underscores, and periods
- Some values are prohibited:
connect
,apps
,users
,groups
,setpassword
,user-completion
,confirm
,recent
,reports
,plots
,unpublished
,settings
,metrics
,tokens
,help
,login
,welcome
,register
,resetpassword
,content
Editing User Attributes
User profile information, such as names and email, are considered editable. The setting Authorization.UserInfoEditableBy
has a default value of AdminAndSelf
, permitting users and administrators to manage these user profile attributes. Configure Authorization.UserInfoEditableBy
with Admin
if profile editing should be restricted to administrators.
It is recommended that if you disable Password.SelfRegistration
, that you also configure Authorization.UserInfoEditableBy
to Admin
.
Automatic User Role Mapping
Posit Connect does not provide the ability to map user roles when using the Password Authentication provider. Roles must be managed within the Posit Connect dashboard or via the Posit Connect Server API.
Acceptable Passwords
Passwords must be at least 6 characters long. Use the Password.MinimumScore
setting to set a minimum complexity score for new passwords. The minimum score must be a number between 0
(the default) and 4
. Any other value will prevent the Posit Connect server from starting. A value of 0
will allow for any password, so long as the length requirement is met. A value of 1
will disallow the most obvious bad passwords, such as password
, dates, the user’s email and so on. The higher the value, the more complex, and therefore secure, new passwords must be.
Making the minimum score higher will not affect existing passwords; it will only affect new ones, either for new users or when a user changes their password.
Posit Connect use the zxcvbn
password measurement library, an industry standard, to determine the strength of a password. It derives a score for a password’s complexity, also called entropy, and accounts for “nearby” data such as username, email, etc. which results in a number from 1-4. For most security profiles, a value of 1 or 2 is sufficient.
Exceptions
Password Authentication does not:
- provide for password expiration
- provide automatic user lockout on multiple login failures
- enforce any specific limits on classes of characters
Although no specific classes of characters can be specified as required (i.e., passwords must contain upper/lower case letters, digits, symbols, etc.), the more combinations of character types that are present in a password, the higher its score will be. Requiring a higher minimum score will inherently require more variety in character types present in a password.
If your security needs require more fully fledged authentication capabilities, you will need to use an alternate authentication provider such as SAML, OpenID Connect, PAM, or LDAP authentication.