Authentication: remove old content

andreyaksenov · andreyaksenov · commit b0a57b304c70 · 2024-01-17T15:38:32.000+03:00
diff --git a/doc/enterprise/security.rst b/doc/enterprise/security.rst
@@ -15,7 +15,7 @@ initialization code.
 
 Tarantool Enterprise Edition has the following built-in security features:
 
-*  :ref:`authentication <enterprise-authentication>`
+*  :ref:`authentication <configuration_authentication>`
 *  :ref:`access control <enterprise-access-control>`
 *  :ref:`audit log <enterprise-logging>`
 *  :ref:`traffic encryption <enterprise-iproto-encryption>`
@@ -74,301 +74,6 @@ privileges for what they create. For more information, see the
 :ref:`Owners and privileges <authentication-owners_privileges>` section.
 
 
-.. _enterprise-auth-restrictions:
-
-Authentication restrictions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Tarantool Enterprise Edition provides the ability to apply additional restrictions for user authentication.
-For example, you can specify the minimum time between authentication attempts
-or disable access for guest users.
-
-The following :doc:`configuration options </reference/configuration/index>` are available:
-
-* :ref:`auth_delay <cfg_auth_delay>`
-* :ref:`disable_guest <cfg_disable_guest>`
-
-
-.. _cfg_auth_delay:
-
-.. confval:: auth_delay
-
-    Specifies a period of time (in seconds) that a specific user should wait
-    for the next attempt after failed authentication.
-
-    With the configuration below, Tarantool refuses the authentication attempt if the previous
-    attempt was less than 5 seconds ago.
-
-    .. code-block:: lua
-
-        box.cfg{ auth_delay = 5 }
-
-
-    | Since version: 2.11
-    | Type: number
-    | Default: 0
-    | Environment variable: TT_AUTH_DELAY
-    | Dynamic: **yes**
-
-
-.. _cfg_disable_guest:
-
-.. confval:: disable_guest
-
-    If **true**, disables access over remote connections
-    from unauthenticated or :ref:`guest access <authentication-passwords>` users.
-    This option affects both
-    :doc:`net.box </reference/reference_lua/net_box>` and
-    :ref:`replication <replication-master_replica_bootstrap>` connections.
-
-    | Since version: 2.11
-    | Type: boolean
-    | Default: false
-    | Environment variable: TT_DISABLE_GUEST
-    | Dynamic: **yes**
-
-
-
-.. _enterprise-password-policy:
-
-Password policy
-~~~~~~~~~~~~~~~
-
-A password policy allows you to improve database security by enforcing the use
-of strong passwords, setting up a maximum password age, and so on.
-When you create a new user with
-:doc:`box.schema.user.create </reference/reference_lua/box_schema/user_create>`
-or update the password of an existing user with
-:doc:`box.schema.user.passwd </reference/reference_lua/box_schema/user_passwd>`,
-the password is checked against the configured password policy settings.
-
-The following :doc:`configuration options </reference/configuration/index>` are available:
-
-* :ref:`password_min_length <cfg_password_min_length>`
-* :ref:`password_enforce_uppercase <cfg_password_enforce_uppercase>`
-* :ref:`password_enforce_lowercase <cfg_password_enforce_lowercase>`
-* :ref:`password_enforce_digits <cfg_password_enforce_digits>`
-* :ref:`password_enforce_specialchars <cfg_password_enforce_specialchars>`
-* :ref:`password_lifetime_days <cfg_password_lifetime_days>`
-* :ref:`password_history_length <cfg_password_history_length>`
-
-.. _cfg_password_min_length:
-
-.. confval:: password_min_length
-
-    Specifies the minimum number of characters for a password.
-
-    The following example shows how to set the minimum password length to 10.
-
-    .. code-block:: lua
-
-        box.cfg{ password_min_length = 10 }
-
-    | Since version: 2.11
-    | Type: integer
-    | Default: 0
-    | Environment variable: TT_PASSWORD_MIN_LENGTH
-    | Dynamic: **yes**
-
-
-.. _cfg_password_enforce_uppercase:
-
-.. confval:: password_enforce_uppercase
-
-    If **true**, a password should contain uppercase letters (A-Z).
-
-    | Since version: 2.11
-    | Type: boolean
-    | Default: false
-    | Environment variable: TT_PASSWORD_ENFORCE_UPPERCASE
-    | Dynamic: **yes**
-
-
-.. _cfg_password_enforce_lowercase:
-
-.. confval:: password_enforce_lowercase
-
-    If **true**, a password should contain lowercase letters (a-z).
-
-    | Since version: 2.11
-    | Type: boolean
-    | Default: false
-    | Environment variable: TT_PASSWORD_ENFORCE_LOWERCASE
-    | Dynamic: **yes**
-
-
-.. _cfg_password_enforce_digits:
-
-.. confval:: password_enforce_digits
-
-    If **true**, a password should contain digits (0-9).
-
-    | Since version: 2.11
-    | Type: boolean
-    | Default: false
-    | Environment variable: TT_PASSWORD_ENFORCE_DIGITS
-    | Dynamic: **yes**
-
-
-.. _cfg_password_enforce_specialchars:
-
-.. confval:: password_enforce_specialchars
-
-    If **true**, a password should contain at least one special character (such as ``&|?!@$``).
-
-    | Since version: 2.11
-    | Type: boolean
-    | Default: false
-    | Environment variable: TT_PASSWORD_ENFORCE_SPECIALCHARS
-    | Dynamic: **yes**
-
-
-.. _cfg_password_lifetime_days:
-
-.. confval:: password_lifetime_days
-
-    Specifies the maximum period of time (in days) a user can use the same password.
-    When this period ends, a user gets the "Password expired" error on a login attempt.
-    To restore access for such users, use :doc:`box.schema.user.passwd </reference/reference_lua/box_schema/user_passwd>`.
-
-    .. note::
-
-        The default 0 value means that a password never expires.
-
-    The example below shows how to set a maximum password age to 365 days.
-
-    .. code-block:: lua
-
-        box.cfg{ password_lifetime_days = 365 }
-
-    | Since version: 2.11
-    | Type: integer
-    | Default: 0
-    | Environment variable: TT_PASSWORD_LIFETIME_DAYS
-    | Dynamic: **yes**
-
-
-.. _cfg_password_history_length:
-
-.. confval:: password_history_length
-
-    Specifies the number of unique new user passwords before an old password can be reused.
-
-    In the example below, a new password should differ from the last three passwords.
-
-    .. code-block:: lua
-
-        box.cfg{ password_history_length = 3 }
-
-    | Since version: 2.11
-    | Type: integer
-    | Default: 0
-    | Environment variable: TT_PASSWORD_HISTORY_LENGTH
-    | Dynamic: **yes**
-
-    .. note::
-        Tarantool uses the ``auth_history`` field in the
-        :doc:`box.space._user </reference/reference_lua/box_space/_user>`
-        system space to store user passwords.
-
-
-
-
-.. _enterprise-authentication-protocol:
-
-Authentication protocol
-~~~~~~~~~~~~~~~~~~~~~~~
-
-By default, Tarantool uses the
-`CHAP <https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol>`_
-protocol to authenticate users and applies ``SHA-1`` hashing to
-:ref:`passwords <authentication-passwords>`.
-Note that CHAP stores password hashes in the ``_user`` space unsalted.
-If an attacker gains access to the database, they may crack a password, for example, using a `rainbow table <https://en.wikipedia.org/wiki/Rainbow_table>`_.
-
-In the Enterprise Edition, you can enable
-`PAP <https://en.wikipedia.org/wiki/Password_Authentication_Protocol>`_ authentication
-with the ``SHA256`` hashing algorithm.
-For PAP, a password is salted with a user-unique salt before saving it in the database,
-which keeps the database protected from cracking using a rainbow table.
-
-To enable PAP, specify the ``box.cfg.auth_type`` option as follows:
-
-.. code-block:: lua
-
-    box.cfg{ auth_type = 'pap-sha256' }
-
-| Since version: 2.11
-| Type: string
-| Default value: 'chap-sha1'
-| Possible values: 'chap-sha1', 'pap-sha256'
-| Environment variable: TT_AUTH_TYPE
-| Dynamic: **yes**
-
-For new users, the :doc:`box.schema.user.create </reference/reference_lua/box_schema/user_create>` method
-will generate authentication data using ``PAP-SHA256``.
-For existing users, you need to reset a password using
-:doc:`box.schema.user.passwd </reference/reference_lua/box_schema/user_passwd>`
-to use the new authentication protocol.
-
-.. warning::
-
-    Given that ``PAP`` transmits a password as plain text,
-    Tarantool requires configuring :ref:`SSL/TLS <enterprise-iproto-encryption-config>`
-    for a connection.
-
-The examples below show how to specify the authentication protocol on the client side:
-
-*   For :doc:`net.box </reference/reference_lua/net_box>`, you can
-    specify the authentication protocol using the ``auth_type`` URI parameter or
-    the corresponding connection option:
-
-    .. code-block:: lua
-
-        -- URI parameters
-        conn = require('net.box').connect(
-            'username:password@localhost:3301?auth_type=pap-sha256')
-
-        -- URI parameters table
-        conn = require('net.box').connect({
-            uri = 'username:password@localhost:3301',
-            params = {auth_type = 'pap-sha256'},
-        })
-
-        -- Connection options
-        conn = require('net.box').connect('localhost:3301', {
-            user = 'username',
-            password = 'password',
-            auth_type = 'pap-sha256',
-        })
-
-*   For :ref:`replication configuration <replication-master_replica_bootstrap>`,
-    the authentication protocol can be specified in URI parameters:
-
-    .. code-block:: lua
-
-        -- URI parameters
-        box.cfg{
-            replication = {
-                'replicator:password@localhost:3301?auth_type=pap-sha256',
-            },
-        }
-
-        -- URI parameters table
-        box.cfg{
-            replication = {
-                {
-                    uri = 'replicator:password@localhost:3301',
-                    params = {auth_type = 'pap-sha256'},
-                },
-            },
-        }
-
-If the authentication protocol isn't specified explicitly on the client side,
-the client uses the protocol configured on the server via ``box.cfg.auth_type``.
-
-
-
 
 .. _enterprise-logging:
 
