You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2018/04/09 06:00:40 UTC
ranger git commit: RANGER-2041 : Handle validations for passwords of
admin accounts during ranger install.
Repository: ranger
Updated Branches:
refs/heads/master fe854a061 -> c8f67ce7c
RANGER-2041 : Handle validations for passwords of admin accounts during ranger install.
Signed-off-by: Mehul Parikh <me...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/c8f67ce7
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/c8f67ce7
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/c8f67ce7
Branch: refs/heads/master
Commit: c8f67ce7c9314867b6481ee10e82ed19b15f37e8
Parents: fe854a0
Author: fatimaawez <fa...@gmail.com>
Authored: Sat Apr 7 15:34:35 2018 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Mon Apr 9 11:28:57 2018 +0530
----------------------------------------------------------------------
security-admin/scripts/changepasswordutil.py | 3 ++-
security-admin/scripts/db_setup.py | 10 ++++----
security-admin/scripts/dba_script.py | 19 ++++++++++++--
security-admin/scripts/install.properties | 1 +
security-admin/scripts/setup.sh | 8 +++---
.../patch/cliutil/ChangePasswordUtil.java | 26 ++++++++++++++++++++
6 files changed, 55 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/changepasswordutil.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/changepasswordutil.py b/security-admin/scripts/changepasswordutil.py
index 95bd613..6c73ed3 100644
--- a/security-admin/scripts/changepasswordutil.py
+++ b/security-admin/scripts/changepasswordutil.py
@@ -109,7 +109,8 @@ def main(argv):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s/*")%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home,ews_lib)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s"%(JAVA_BIN,ranger_log,path,'ChangePasswordUtil',userName,oldPassword,newPassword)
+ get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s"%(JAVA_BIN,ranger_log,path,
+'ChangePasswordUtil','"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"')
if os_name == "LINUX":
ret = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index 83ccc32..b8664d2 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -649,7 +649,7 @@ class MysqlConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"')
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -1363,7 +1363,7 @@ class OracleConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"')
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -2032,7 +2032,7 @@ class PostgresConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"')
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -2663,7 +2663,7 @@ class SqlServerConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"')
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -3307,7 +3307,7 @@ class SqlAnywhereConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"')
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index d5eaaf0..69fff41 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -124,6 +124,11 @@ def password_validation(password, userType):
log("[E] Blank password is not allowed,please enter valid password.","error")
sys.exit(1)
+def validateDefaultUsersPassword(password, userName):
+ if not re.search(r'(?=.*[0-9])(?=.*[a-zA-Z])', password) or len(password)<8 or re.search("[\\\`'\"]",password):
+ log("[E] validatePassword()."+userName+ " password change failed. Password should be minimum 8 characters with minimum one alphabet and one numeric. Unsupported special characters are \" ' \ `","error")
+ sys.exit(1)
+
def jisql_log(query, db_root_password):
if jisql_debug == True:
if os_name == "WINDOWS":
@@ -1397,7 +1402,6 @@ class SqlAnywhereConf(BaseDB):
logFile("# Login to SQL Anywhere Server from '%s' user on '%s' database to execute below sql statements."%(db_user,audit_db_name))
logFile("GRANT CONNECT to %s IDENTIFIED BY '%s';" %(audit_db_user, audit_db_password))
-
def main(argv):
FORMAT = '%(asctime)-15s %(message)s'
@@ -1442,7 +1446,18 @@ def main(argv):
else:
log("[E] Invalid file Name! Unable to find file:"+dba_sql_file,"error")
sys.exit(1)
-
+ rangerAdmin_password = globalDict['rangerAdmin_password']
+ if ( rangerAdmin_password != '' ) and (rangerAdmin_password != "admin" ):
+ validateDefaultUsersPassword(rangerAdmin_password,"admin");
+ rangerTagsync_password = globalDict['rangerTagsync_password']
+ if ( rangerTagsync_password != '' ) and (rangerTagsync_password != "rangertagsync" ):
+ validateDefaultUsersPassword(rangerTagsync_password,"rangertagsync");
+ rangerUsersync_password = globalDict['rangerUsersync_password']
+ if ( rangerUsersync_password != '' ) and (rangerUsersync_password != "rangerusersync" ):
+ validateDefaultUsersPassword(rangerUsersync_password,"rangerusersync");
+ keyadmin_password = globalDict['keyadmin_password']
+ if ( keyadmin_password != '' ) and (keyadmin_password != "keyadmin" ):
+ validateDefaultUsersPassword(keyadmin_password,"keyadmin");
log("[I] Running DBA setup script. QuiteMode:" + str(quiteMode),"info")
if (quiteMode):
if (not 'JAVA_HOME' in os.environ) or (os.environ['JAVA_HOME'] == ""):
http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index 8128678..34c52eb 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -70,6 +70,7 @@ db_user=rangeradmin
db_password=
# change password. Password for below mentioned users can be changed only once using this property.
+#PLEASE NOTE :: Password should be minimum 8 characters with min one alphabet and one numeric.
rangerAdmin_password=
rangerTagsync_password=
rangerUsersync_password=
http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index f79a79e..45bc918 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -1377,17 +1377,17 @@ setup_install_files(){
fi
}
python_command_for_change_password(){
- $PYTHON_COMMAND_INVOKER db_setup.py -changepassword $1 $2 $3
+ $PYTHON_COMMAND_INVOKER db_setup.py -changepassword "${1}" "${2}" "${3}"
}
change_default_users_password(){
- if [ "${rangerAdmin_password}" != '' ] && [ "${rangerAdmin_password}" != "admin" ]
+ if [ "${rangerAdmin_password}" != '' ] && [ "${rangerAdmin_password}" != "admin" ]
then
- python_command_for_change_password 'admin' 'admin' "$rangerAdmin_password"
+ python_command_for_change_password 'admin' 'admin' "$rangerAdmin_password"
fi
if [ "${rangerTagsync_password}" != "" ] && [ "${rangerTagsync_password}" != "rangertagsync" ]
then
- python_command_for_change_password 'rangertagsync' 'rangertagsync' "$rangerTagsync_password"
+ python_command_for_change_password 'rangertagsync' 'rangertagsync' "$rangerTagsync_password"
fi
if [ "${rangerUsersync_password}" != "" ] && [ "${rangerUsersync_password}" != "rangerusersync" ]
then
http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
index e7a4035..9d3ce59 100644
--- a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
@@ -20,6 +20,8 @@ package org.apache.ranger.patch.cliutil;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.UserMgr;
+import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.patch.BaseLoader;
@@ -38,6 +40,9 @@ public class ChangePasswordUtil extends BaseLoader {
@Autowired
UserMgr userMgr;
+ @Autowired
+ RESTErrorUtil restErrorUtil;
+
public static String userLoginId;
public static String currentPassword;
public static String newPassword;
@@ -49,6 +54,7 @@ public class ChangePasswordUtil extends BaseLoader {
ChangePasswordUtil loader = (ChangePasswordUtil) CLIUtil.getBean(ChangePasswordUtil.class);
loader.init();
if (args.length == 3 || args.length == 4) {
+
userLoginId = args[0];
currentPassword = args[1];
newPassword = args[2];
@@ -109,9 +115,12 @@ public class ChangePasswordUtil extends BaseLoader {
if (xPortalUser!=null){
String dbPassword=xPortalUser.getPassword();
String currentEncryptedPassword=null;
+
try {
+
currentEncryptedPassword=userMgr.encrypt(userLoginId, currentPassword);
if (currentEncryptedPassword.equals(dbPassword)){
+ validatePassword(newPassword);
userMgr.updatePasswordInSHA256(userLoginId,newPassword,true);
logger.info("User '"+userLoginId+"' Password updated sucessfully.");
}else if (!currentEncryptedPassword.equals(dbPassword) && defaultPwdChangeRequest){
@@ -135,4 +144,21 @@ public class ChangePasswordUtil extends BaseLoader {
System.exit(1);
}
}
+ private void validatePassword(String newPassword) {
+ boolean checkPassword = false;
+ if (newPassword != null ) {
+ String pattern = "(?=.*[0-9])(?=.*[a-zA-Z]).{8,}";
+ checkPassword = newPassword.trim().matches(pattern);
+ if (!checkPassword) {
+ logger.error("validatePassword(). Password should be minimum 8 characters with minimum one alphabet and one numeric.");
+ System.out.println("validatePassword(). Password should be minimum 8 characters with minimum one alphabet and one numeric.");
+ throw restErrorUtil.createRESTException("serverMsg.changePasswordValidatePassword", MessageEnums.INVALID_PASSWORD, null, "Password should be minimum 8 characters with minimum one alphabet and one numeric", null);
+ }
+ } else {
+ logger.error("validatePassword(). Password cannot be blank/null.");
+ System.out.println("validatePassword(). Password cannot be blank/null.");
+ throw restErrorUtil.createRESTException("serverMsg.changePasswordValidatePassword", MessageEnums.INVALID_PASSWORD, null, "Password cannot be blank/null", null);
+ }
+ }
+
}