Merge pull request #11943 from mitake/bcrypt-in-api

auth, etcdserver: hash password in the API layer

CHANGELOG-3.5.md

@@ -63,14 +63,14 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.4.0...v3.5.0) and
 - Changed behavior on [existing dir permission](https://github.com/etcd-io/etcd/pull/11798).
   - Previously, the permission was not checked on existing data directory and the directory used for automatically generating self-signed certificates for TLS connections with clients. Now a check is added to make sure those directories, if already exist, has a desired permission of 700 on Linux and 777 on Windows.
 
-
 ### `etcdctl`
 
 - Make sure [save snapshot downloads checksum for integrity checks](https://github.com/etcd-io/etcd/pull/11896).
 
 ### Security
 
 - Add [`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` and `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` to `etcd --cipher-suites`](https://github.com/etcd-io/etcd/pull/11864).
+- Changed [the format of WAL entries related to auth for not keeping password as a plain text](https://github.com/etcd-io/etcd/pull/11943).
 
 ### Metrics, Monitoring
 

Documentation/dev-guide/api_reference_v3.md

@@ -265,6 +265,7 @@ Empty field.
 | name |  | string |
 | password |  | string |
 | options |  | authpb.UserAddOptions |
+| hashedPassword |  | string |
 
 
 
@@ -281,7 +282,8 @@ Empty field.
 | Field | Description | Type |
 | ----- | ----------- | ---- |
 | name | name is the name of the user whose password is being changed. | string |
-| password | password is the new password for the user. | string |
+| password | password is the new password for the user. Note that this field will be removed in the API layer. | string |
+| hashedPassword | hashedPassword is the new password for the user. Note that this field will be initialized in the API layer. | string |