You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by bhavik patel <bh...@gmail.com> on 2022/03/31 13:17:02 UTC
Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
Diff: https://reviews.apache.org/r/73922/diff/1/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 9:22 a.m., Kirby Zhou wrote:
> > A question.
> > If admin want to change other user's password, The rule shoud be forced or not?
> > If not, how the code to impl it?
>
> bhavik patel wrote:
> yes, that rule is forced.
>
> Kirby Zhou wrote:
> I consider admin do not love it. Especially when admin needs to reset someone's password to a specific value.
That’s also true, I thought og having the same functionality throughout the application.
@PMC any suggestions?
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224237
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 9:22 a.m., Kirby Zhou wrote:
> > A question.
> > If admin want to change other user's password, The rule shoud be forced or not?
> > If not, how the code to impl it?
>
> bhavik patel wrote:
> yes, that rule is forced.
>
> Kirby Zhou wrote:
> I consider admin do not love it. Especially when admin needs to reset someone's password to a specific value.
>
> bhavik patel wrote:
> That’s also true, I thought og having the same functionality throughout the application.
>
> @PMC any suggestions?
As of now reverted this changes.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224237
-----------------------------------------------------------
On April 8, 2022, 2:01 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 8, 2022, 2:01 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/4/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
> On 四月 1, 2022, 9:22 a.m., Kirby Zhou wrote:
> > A question.
> > If admin want to change other user's password, The rule shoud be forced or not?
> > If not, how the code to impl it?
>
> bhavik patel wrote:
> yes, that rule is forced.
I consider admin do not love it. Especially when admin needs to reset someone's password to a specific value.
- Kirby
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224237
-----------------------------------------------------------
On 四月 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 9:22 a.m., Kirby Zhou wrote:
> > A question.
> > If admin want to change other user's password, The rule shoud be forced or not?
> > If not, how the code to impl it?
yes, that rule is forced.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224237
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224237
-----------------------------------------------------------
A question.
If admin want to change other user's password, The rule shoud be forced or not?
If not, how the code to impl it?
- Kirby Zhou
On 四月 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224312
-----------------------------------------------------------
Ship it!
Ship It!
- Kirby Zhou
On 四月 13, 2022, 2:57 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 13, 2022, 2:57 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/7/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224314
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 397 (patched)
<https://reviews.apache.org/r/73922/#comment313174>
Are you sure?
Arrays.asList() is immutable
Arrays.asList("a,b,c".split(",")).remove(0) will throw exception.
- Kirby Zhou
On 四月 13, 2022, 7:49 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 13, 2022, 7:49 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/8/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224315
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On April 13, 2022, 9:42 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 13, 2022, 9:42 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/9/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 13, 2022, 9:42 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
Diff: https://reviews.apache.org/r/73922/diff/9/
Changes: https://reviews.apache.org/r/73922/diff/8-9/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 13, 2022, 7:49 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
Diff: https://reviews.apache.org/r/73922/diff/8/
Changes: https://reviews.apache.org/r/73922/diff/7-8/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224313
-----------------------------------------------------------
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
Line 1692 (original), 1694 (patched)
<https://reviews.apache.org/r/73922/#comment313169>
- consider leaving old_passwords and password_update_time to be null here (i.e. no changes to INSERT statements). Note that value in password column can be used in change-password flow
- update change-password flow to verify that the new password doesn't match values in columns password and old_passwords
- on successful password change, existing value in password column should be added to old_passwords column
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 121 (patched)
<https://reviews.apache.org/r/73922/#comment313168>
Consider using a static const for defaultPwdHistoryStore, like:
private static final int DEFAULT_PASSWORD_HISTORY_COUNT = 4;
private int passwordHistoryCount = PropertiesUtil.getIntProperty("ranger.passord.history.count", DEFAULT_PASSWORD_HISTORY_COUNT);
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 147 (patched)
<https://reviews.apache.org/r/73922/#comment313171>
pwdHistoryStore=0 should be allowed, to retain current behavior i.e., no restriction on reuse of password.
if (passwordHistoryCount < 0) {
passwordHistoryCount = 0;
}
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 169 (patched)
<https://reviews.apache.org/r/73922/#comment313172>
Per earlier comment in ranger_core_db_mysql.sql, line #169 is not needed.
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Line 386 (original), 394 (patched)
<https://reviews.apache.org/r/73922/#comment313170>
Consider replacing #394 - #409 with the following, per earlier comments in ranger_core_db_mysql.sql:
String oldPasswordStr = gjUser.getOldPasswords();
List<String> oldPasswords;
if (StringUtils.isNotEmpty(oldPasswordStr)) {
oldPasswords = new ArrayList<>(oldPasswordStr.split(",");
} else {
oldPasswords = new ArrayList<>();
}
oldPasswords.append(gjUser.getPassword());
while (oldPasswords.size() > this.passwordHistroyCount) {
oldPasswords.remove(0);
}
boolean isNewPasswordDifferent = oldPasswords.isEmpty();
for (String oldPassword : oldPasswords) {
if (this.isFipsEnabled) {
isNewPasswordDifferent = isNewPasswordDifferent(pwdChange.getLoginId(), oldPassword, encryptedNewPwd);
} else {
isNewPasswordDifferent = !encryptedNewPwd.equals(oldPassword);
}
if (!isNewPasswordDifferent) {
break;
}
}
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 436 (patched)
<https://reviews.apache.org/r/73922/#comment313173>
Per changes suggested in earlier comments, consider updating updateOldPasswords() to:
private void updateOldPasswords(XXPortalUser gjUser, String encryptedNewPwd, List<String> oldPasswords) {
String oldPasswordStr = StringUtils.isNotEmpty(oldPasswords) ? StringUtils.join(oldPasswords, ",") : null;
gjUser.setOldPasswords(oldPasswordStr);
gjUser.setPasswordUpdatedTime(DateUtil.getUTCDate());
}
- Madhan Neethiraj
On April 13, 2022, 2:57 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 13, 2022, 2:57 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/7/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 13, 2022, 2:57 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
Diff: https://reviews.apache.org/r/73922/diff/7/
Changes: https://reviews.apache.org/r/73922/diff/6-7/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Lines 443 (patched)
> > <https://reviews.apache.org/r/73922/diff/6/?file=2267336#file2267336line443>
> >
> > "if" should be "while"
>
> bhavik patel wrote:
> Not required as we are removing the old Encrypted password when "pwdHistoryStore" is changed.
>
> Kirby Zhou wrote:
> If pwdHistoryStore used to be 10, and oldPassword actullay stored 10, then pwdHistoryStore changed from 10 to 5, your oldPassword will keep size in 10 forever.
this use-case Being handled when we are matching for the old Password.
updated the changes.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224307
-----------------------------------------------------------
On April 13, 2022, 2:57 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 13, 2022, 2:57 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/7/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 398 (original), 406 (patched)
> > <https://reviews.apache.org/r/73922/diff/5-6/?file=2267297#file2267297line407>
> >
> > Math.min(oldPasswords.length, pwdHistoryStore)
this is not required as we are removing old entries.
> On April 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Lines 406 (patched)
> > <https://reviews.apache.org/r/73922/diff/6/?file=2267336#file2267336line406>
> >
> > Do not remove, just use:
> >
> > for (int p = oldPasswords.length <= pwdHistoryStore ? 0 : oldPasswords.length - pwdHistoryStore; p < oldPasswords.length; ++p)
removing also does the same Functionality.
> On April 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Lines 443 (patched)
> > <https://reviews.apache.org/r/73922/diff/6/?file=2267336#file2267336line443>
> >
> > "if" should be "while"
Not required as we are removing the old Encrypted password when "pwdHistoryStore" is changed.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224307
-----------------------------------------------------------
On April 11, 2022, 12:42 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 11, 2022, 12:42 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/6/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
> On 四月 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 398 (original), 406 (patched)
> > <https://reviews.apache.org/r/73922/diff/5-6/?file=2267297#file2267297line407>
> >
> > Math.min(oldPasswords.length, pwdHistoryStore)
>
> bhavik patel wrote:
> this is not required as we are removing old entries.
What happens if oldPasswords.length < pwdHistoryStore ?
> On 四月 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Lines 406 (patched)
> > <https://reviews.apache.org/r/73922/diff/6/?file=2267336#file2267336line406>
> >
> > Do not remove, just use:
> >
> > for (int p = oldPasswords.length <= pwdHistoryStore ? 0 : oldPasswords.length - pwdHistoryStore; p < oldPasswords.length; ++p)
>
> bhavik patel wrote:
> removing also does the same Functionality.
But it is more costlly.
> On 四月 12, 2022, 4:29 p.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Lines 443 (patched)
> > <https://reviews.apache.org/r/73922/diff/6/?file=2267336#file2267336line443>
> >
> > "if" should be "while"
>
> bhavik patel wrote:
> Not required as we are removing the old Encrypted password when "pwdHistoryStore" is changed.
If pwdHistoryStore used to be 10, and oldPassword actullay stored 10, then pwdHistoryStore changed from 10 to 5, your oldPassword will keep size in 10 forever.
- Kirby
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224307
-----------------------------------------------------------
On 四月 11, 2022, 12:42 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 11, 2022, 12:42 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/6/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224307
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Line 398 (original), 406 (patched)
<https://reviews.apache.org/r/73922/#comment313157>
Math.min(oldPasswords.length, pwdHistoryStore)
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 406 (patched)
<https://reviews.apache.org/r/73922/#comment313158>
Do not remove, just use:
for (int p = oldPasswords.length <= pwdHistoryStore ? 0 : oldPasswords.length - pwdHistoryStore; p < oldPasswords.length; ++p)
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 443 (patched)
<https://reviews.apache.org/r/73922/#comment313159>
"if" should be "while"
- Kirby Zhou
On 四月 11, 2022, 12:42 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 11, 2022, 12:42 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/6/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 11, 2022, 12:42 p.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
Diff: https://reviews.apache.org/r/73922/diff/6/
Changes: https://reviews.apache.org/r/73922/diff/5-6/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224291
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 122 (patched)
<https://reviews.apache.org/r/73922/#comment313150>
Should be limited as non-negatvie.
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 167 (patched)
<https://reviews.apache.org/r/73922/#comment313151>
How about Timezone?
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 398 (patched)
<https://reviews.apache.org/r/73922/#comment313149>
here should be limited by pwdHistoryStore.
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 435 (patched)
<https://reviews.apache.org/r/73922/#comment313148>
If we change pwdHistoryStore from 10 to 5, it only remove 1 from a 9-size old one.
- Kirby Zhou
On 四月 9, 2022, 5:29 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 9, 2022, 5:29 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/5/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 9, 2022, 5:29 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
Diff: https://reviews.apache.org/r/73922/diff/5/
Changes: https://reviews.apache.org/r/73922/diff/4-5/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 8, 2022, 5:41 p.m., Kirby Zhou wrote:
> > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
> > Lines 121 (patched)
> > <https://reviews.apache.org/r/73922/diff/4/?file=2267282#file2267282line121>
> >
> > Can we store it in other_attributes to avoid change database schema?
I think other_attributes added for some other purpose as this attribute added for 2 more table. It's better to have new column.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224283
-----------------------------------------------------------
On April 9, 2022, 5:29 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 9, 2022, 5:29 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql e2475cfbd
> security-admin/db/oracle/patches/059-update-x-portal-user-table..sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql f5c6ed8f5
> security-admin/db/postgres/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 1887d6da9
> security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 642e54cd5
> security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
> security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196
>
>
> Diff: https://reviews.apache.org/r/73922/diff/5/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224283
-----------------------------------------------------------
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
Lines 121 (patched)
<https://reviews.apache.org/r/73922/#comment313145>
Can we store it in other_attributes to avoid change database schema?
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 431 (patched)
<https://reviews.apache.org/r/73922/#comment313143>
Can you move this line to init or consturctor?
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
Lines 515 (patched)
<https://reviews.apache.org/r/73922/#comment313144>
typo here
- Kirby Zhou
On 四月 8, 2022, 2:01 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 8, 2022, 2:01 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/4/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 8, 2022, 2:01 p.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
Diff: https://reviews.apache.org/r/73922/diff/4/
Changes: https://reviews.apache.org/r/73922/diff/3-4/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 8, 2022, 1:55 p.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
Diff: https://reviews.apache.org/r/73922/diff/3/
Changes: https://reviews.apache.org/r/73922/diff/2-3/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
-----------------------------------------------------------
(Updated April 1, 2022, 7:50 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687
Repository: ranger
Description
-------
Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
Diffs (updated)
-----
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
Diff: https://reviews.apache.org/r/73922/diff/2/
Changes: https://reviews.apache.org/r/73922/diff/1-2/
Testing
-------
1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s
3. Once the basic review/discussion is done will fix the Test-cases
Thanks,
bhavik patel
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
>
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss the approach.
>
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
>
> bhavik patel wrote:
> if we execute in the loop than also the result will be same unless we have the old salt value.
@Kirby Zhou, If you have FIPS enabled environment then can you please update this patch for the same and raise new Review Request(with all the changes)
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
>
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss the approach.
>
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
if we execute in the loop than also the result will be same unless we have the old salt value.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by bhavik patel <bh...@gmail.com>.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > Some mistakes.
> > And if reuse x_trx_log table, we can avoid upgrade database scehma, Compatibility will be better.
"x_trx_log" table audit by ADMIN user, so it's better no to use that.
> On April 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
That's true and That’s the main reason I pinged in the Jira to discuss the approach.
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On April 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated April 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
> On 四月 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > <https://reviews.apache.org/r/73922/diff/1/?file=2267178#file2267178line1427>
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
>
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss the approach.
>
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
>
> bhavik patel wrote:
> if we execute in the loop than also the result will be same unless we have the old salt value.
>
> bhavik patel wrote:
> @Kirby Zhou, If you have FIPS enabled environment then can you please update this patch for the same and raise new Review Request(with all the changes)
Read the old code, you actully have the old salt value. It is in the encoded-password.
- Kirby
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
On 四月 1, 2022, 7:50 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 四月 1, 2022, 7:50 a.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e2bfc8fff
>
>
> Diff: https://reviews.apache.org/r/73922/diff/2/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security
Posted by Kirby Zhou <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
-----------------------------------------------------------
Some mistakes.
And if reuse x_trx_log table, we can avoid upgrade database scehma, Compatibility will be better.
security-admin/db/mysql/patches/059-update-x-portal-user-table.sql
Lines 25 (patched)
<https://reviews.apache.org/r/73922/#comment313118>
replace tab with space?
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 421 (patched)
<https://reviews.apache.org/r/73922/#comment313119>
should be a configuration
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Line 1412 (original), 1424 (patched)
<https://reviews.apache.org/r/73922/#comment313120>
It not works for FIPS.
FIPS require random salt, so we can not compare oldPassword and newPassword, encoded-oldPassword and encoded-newPassword directy,
- Kirby Zhou
On 三月 31, 2022, 1:17 p.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> -----------------------------------------------------------
>
> (Updated 三月 31, 2022, 1:17 p.m.)
>
>
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Password history should be configured to restrict users from reusing their last 4 or 5 passwords.
>
>
> Diffs
> -----
>
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770
> security-admin/db/mysql/patches/059-update-x-portal-user-table.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5
> security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java d0451b4d2
>
>
> Diff: https://reviews.apache.org/r/73922/diff/1/
>
>
> Testing
> -------
>
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
>
> 3. Once the basic review/discussion is done will fix the Test-cases
>
>
> Thanks,
>
> bhavik patel
>
>