Skip to content

Password Authentication (Built-In)#

RStudio Connect provides a simple Password Authentication provider which is usable without external integration. It uses user accounts backed by the RStudio Connect database and is not integrated with any external, third-party authentication services. It is the only authentication provider which allows users to change their passwords from within RStudio Connect.

Note

Using Password Authentication makes it easy to get RStudio Connect up and running quickly but is really only appropriate when using RStudio Connect in one of these situations:

  • A demonstration or proof-of-concept in which RStudio Connect is being evaluated or explored.

  • Training users to use RStudio Connect.

  • Using RStudio Connect to do small-scale testing.

  • A small group of users without, or isolated from, a centralized IT system.

For most customers, use of the Password Authentication provider is not recommended. Integrating with your organization's existing authentication provider is recommended.

Configuration Example#

Note

The Password configuration appendix contains information about each Password configuration setting.

; /etc/rstudio-connect/rstudio-connect.gcfg

[Authentication]
Provider = "password"

[Password]
; When attempting to troubleshoot a problem relating to Password Authentication, 
; you can enable more verbose logging by enabling the following line
;Logging = true

User Provisioning#

Users can be created by an administrator, or can register themselves through the RStudio Connect dashboard. The RStudio Connect Server API can also be used to create users ahead of their first login.

Users created by an administrator or via the RStudio Connect Server API without a password will receive an email confirmation which should be used to configure a password.

Existing user accounts can reset their passwords through the RStudio Connect login page, or an RStudio Connect administrator can make this request from the user's profile.

Self Registration#

When using Password Authentication, users can self-register by clicking the "Sign Up" button on the login page. Self-registered accounts will be created with the role specified in the Authorization.DefaultUserRole setting (see User Roles).

Disabling Self Registration#

If you wish to disable self-registration, set the configuration setting Password.SelfRegistration to false.

; /etc/rstudio-connect/rstudio-connect.gcfg
[Password]
SelfRegistration = false

This setting takes effect only after the first account has been created (administrator account). Subsequent accounts must then be created by the administrator.

Support for Administrators#

Administrators can create accounts directly in the RStudio Connect dashboard. Similar to when users sign up for a new account, a confirmation email will be sent to the user.

In the case the user does not receive the confirmation email, the administrator can visit the user profile page under the "People" tab and resend this email. For existing users, the administrator can also send a password reset email from the same location.

Without Email Sending#

Note

Password Authentication works with limited convenience without email settings. See Email Sending.

Using Password Authentication without configuring email sending imposes limited functionality and reduced security.

For account confirmations and password resets, the administrator will be required to play the role of an intermediary.

When a new account has been created, an administrator needs to visit the user profile page under the "People" tab and copy the user's "Account Confirmation Link".

When an existing user needs their password to be reset, the user should ask the administrator for a password reset link. As with the above, the "Reset Password Link" can be obtained from the user profile page under the "People" tab.

Note

The administrator must not visit the obtained link. The copied link should be passed to the user so they may complete the respective action.

Group Membership Management#

RStudio Connect allows the organization of users into local groups. Administrators can manage local groups within the "People" tab in the RStudio Connect dashboard or via the RStudio Connect Server API.

Security Considerations#

Password Authentication follows proper security policies but there are limitations to be aware of.

Acceptable Usernames#

Usernames must be unique and adhere to the following:

  • Be 3-64 characters in length
  • Start with a letter
  • Contain only alphanumeric characters, underscores, and periods
  • Some values are prohibited: connect, apps, users, groups, setpassword, user-completion, confirm, recent, reports, plots, unpublished, settings, metrics, tokens, help, login, welcome, register, resetpassword, content

Editing User Attributes#

User profile information, such as names and email, are considered editable. The setting Authorization.UserInfoEditableBy has a default value of AdminAndSelf, permitting users and administrators to manage these user profile attributes. Configure Authorization.UserInfoEditableBy with Admin if profile editing should be restricted to administrators.

It is recommended that if you disable Password.SelfRegistration, that you also configure Authorization.UserInfoEditableBy to Admin.

Automatic User Role Mapping#

RStudio Connect does not provide the ability to map user roles when using the Password Authentication provider. Roles must be managed within the RStudio Connect dashboard or via the RStudio Connect Server API.

Acceptable Passwords#

Passwords must be at least 6 characters long. Use the Password.MinimumScore setting to set a minimum complexity score for new passwords. The minimum score must be a number between 0 (the default) and 4. Any other value will prevent the RStudio Connect server from starting. A value of 0 will allow for any password, so long as the length requirement is met. A value of 1 will disallow the most obvious bad passwords, such as password, dates, the user's email and so on. The higher the value, the more complex, and therefore secure, new passwords must be.

Note

Making the minimum score higher will not affect existing passwords; it will only affect new ones, either for new users or when a user changes their password.

RStudio Connect use the zxcvbn password measurement library, an industry standard, to determine the strength of a password. It derives a score for a password's complexity, also called entropy, and accounts for "nearby" data such as username, email, etc. which results in a number from 1-4. For most security profiles, a value of 1 or 2 is sufficient.

Exceptions#

Password Authentication does not:

  • provide for password expiration
  • provide automatic user lockout on multiple login failures
  • enforce any specific limits on classes of characters

Although no specific classes of characters can be specified as required (i.e., passwords must contain upper/lower case letters, digits, symbols, etc.), the more combinations of character types that are present in a password, the higher its score will be. Requiring a higher minimum score will inherently require more variety in character types present in a password.

If your security needs require more fully fledged authentication capabilities, you will need to use an alternate authentication provider such as SAML, OpenID Connect, PAM, or LDAP authentication.

Copyright © RStudio, PBC. All Rights Reserved