Password Authentication (Built-In)#
Posit Connect provides a simple Password Authentication provider which is usable without external integration. It uses user accounts backed by the Posit Connect database and is not integrated with any external, third-party authentication services. It is the only authentication provider which allows users to change their passwords from within Posit Connect.
Using Password Authentication makes it easy to get Posit Connect up and running quickly but is really only appropriate when using Posit Connect in one of these situations:
A demonstration or proof-of-concept in which Posit Connect is being evaluated or explored.
Training users to use Posit Connect.
Using Posit Connect to do small-scale testing.
A small group of users without, or isolated from, a centralized IT system.
For most customers, use of the Password Authentication provider is not recommended. Integrating with your organization's existing authentication provider is recommended.
The Password configuration appendix contains information about each Password configuration setting.
; /etc/rstudio-connect/rstudio-connect.gcfg [Authentication] Provider = "password" [Password] ; MinimumScore = 0 ; SelfRegistration = true ; WebSudoMode = true ; WebSudoModeDuration = 5m
Users can be created by an administrator, or can register themselves through the Posit Connect dashboard. The Posit Connect Server API can also be used to create users ahead of their first login.
Users created by an administrator or via the Posit Connect Server API without a password will receive an email confirmation which should be used to configure a password.
Existing user accounts can reset their passwords through the Posit Connect login page, or an Posit Connect administrator can make this request from the user's profile.
When using Password Authentication, users can self-register by clicking the
"Sign Up" button on the login page. Self-registered accounts will be created
with the role specified in the
setting (see User Roles).
Disabling Self Registration#
If you wish to disable self-registration, set the configuration
; /etc/rstudio-connect/rstudio-connect.gcfg [Password] SelfRegistration = false
This setting takes effect only after the first account has been created (administrator account). Subsequent accounts must then be created by the administrator.
Support for Administrators#
Administrators can create accounts directly in the Posit Connect dashboard. Similar to when users sign up for a new account, a confirmation email will be sent to the user.
In the case the user does not receive the confirmation email, the administrator can visit the user profile page under the "People" tab and resend this email. For existing users, the administrator can also send a password reset email from the same location.
Without Email Sending#
Password Authentication works with limited convenience without email settings. See Email Sending.
Using Password Authentication without configuring email sending imposes limited functionality and reduced security.
For account confirmations and password resets, the administrator will be required to play the role of an intermediary.
When a new account has been created, an administrator needs to visit the user profile page under the "People" tab and copy the user's "Account Confirmation Link".
When an existing user needs their password to be reset, the user should ask the administrator for a password reset link. As with the above, the "Reset Password Link" can be obtained from the user profile page under the "People" tab.
The administrator must not visit the obtained link. The copied link should be passed to the user so they may complete the respective action.
Group Membership Management#
Posit Connect allows the organization of users into local groups. Administrators can manage local groups within the "People" tab in the Posit Connect dashboard or via the Posit Connect Server API.
Password Authentication follows proper security policies but there are limitations to be aware of.
Usernames must be unique and adhere to the following:
- Be 3-64 characters in length
- Start with a letter
- Contain only alphanumeric characters, underscores, and periods
- Some values are prohibited:
Editing User Attributes#
User profile information, such as names and email, are considered editable. The
has a default value of
AdminAndSelf, permitting users and administrators to
manage these user profile attributes. Configure
Admin if profile editing should be restricted to administrators.
It is recommended that if you disable
that you also configure
Automatic User Role Mapping#
Posit Connect does not provide the ability to map user roles when using the Password Authentication provider. Roles must be managed within the Posit Connect dashboard or via the Posit Connect Server API.
Passwords must be at least 6 characters long. Use the
setting to set a minimum complexity score for new passwords. The minimum score
must be a number between
0 (the default) and
4. Any other value will prevent
the Posit Connect server from starting. A value of
0 will allow for any
password, so long as the length requirement is met. A value of
1 will disallow
the most obvious bad passwords, such as
password, dates, the user's email and
so on. The higher the value, the more complex, and therefore secure, new
passwords must be.
Making the minimum score higher will not affect existing passwords; it will only affect new ones, either for new users or when a user changes their password.
Posit Connect use the
zxcvbn password measurement library, an industry
standard, to determine the strength of a password. It derives a score for a
password's complexity, also called entropy, and accounts for "nearby" data such
as username, email, etc. which results in a number from 1-4. For most security
profiles, a value of 1 or 2 is sufficient.
Password Authentication does not:
- provide for password expiration
- provide automatic user lockout on multiple login failures
- enforce any specific limits on classes of characters
Although no specific classes of characters can be specified as required (i.e., passwords must contain upper/lower case letters, digits, symbols, etc.), the more combinations of character types that are present in a password, the higher its score will be. Requiring a higher minimum score will inherently require more variety in character types present in a password.
If your security needs require more fully fledged authentication capabilities, you will need to use an alternate authentication provider such as SAML, OpenID Connect, PAM, or LDAP authentication.