You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Kirby Zhou <ki...@gmail.com> on 2022/04/01 06:04:52 UTC
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
Some mistakes.
And if reuse x_trx_log table, we can avoid upgrade database scehma, Compatibility will be better.
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql
Lines 25 (patched)
<https://reviews.apache.org/r/73922/#comment313118>
replace tab with space?
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 421 (patched)
<https://reviews.apache.org/r/73922/#comment313119>
should be a configuration
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Line 1412 (original), 1424 (patched)
<https://reviews.apache.org/r/73922/#comment313120>
It not works for FIPS.
FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
- Kirby Zhou
On 三月 31, 2022, 1:17 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 三月 31, 2022, 1:17 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
>
>
> Diff: https://reviews.apache.org/r/73922/diff/1/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
>
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss the approach.
>
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
>
> bhavik patel wrote:
> if we execute in the loop than also the result will be same unless we have the old salt value.
@Kirby Zhou, If you have FIPS enabled environment then can you please update this patch for the same and raise new Review Request(with all the changes)
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
>
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss the approach.
>
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
if we execute in the loop than also the result will be same unless we have the old salt value.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > Some mistakes.
> > And if reuse x_trx_log table, we can avoid upgrade database scehma, Compatibility will be better.
"x_trx_log" table audit by ADMIN user, so it's better no to use that.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
That's true and That’s the main reason I pinged in the Jira to discuss the approach.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
> On 四月 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
>
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss the approach.
>
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
>
> bhavik patel wrote:
> if we execute in the loop than also the result will be same unless we have the old salt value.
>
> bhavik patel wrote:
> @Kirby Zhou, If you have FIPS enabled environment then can you please update this patch for the same and raise new Review Request(with all the changes)
Read the old code, you actully have the old salt value. It is in the encoded-password.
- Kirby
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On 四月 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>