This is an automated email from the ASF dual-hosted git repository. dmitriusan pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new a9b6703 AMBARI-25268. implement configurable password policy for Ambari users - additional improvements (dlysnichenko) (#3034) a9b6703 is described below commit a9b6703f484715e0a7fac8cb0fb997e25f54b9bf Author: Lisnichenko Dmitro <dlysniche...@hortonworks.com> AuthorDate: Tue Jun 25 14:17:46 2019 +0300 AMBARI-25268. implement configurable password policy for Ambari users - additional improvements (dlysnichenko) (#3034) --- .../ambari/server/configuration/Configuration.java | 27 ++++++++++++++++++++++ .../ambari/server/controller/AmbariServer.java | 1 + .../server/security/authorization/Users.java | 2 +- .../server/security/authorization/TestUsers.java | 3 ++- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index c4f7c08..1541bb2 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -50,6 +50,7 @@ import java.util.concurrent.BlockingQueue; import java.util.concurrent.Callable; import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.TimeUnit; +import java.util.regex.Pattern; import org.apache.ambari.annotations.Experimental; import org.apache.ambari.annotations.ExperimentalFeature; @@ -514,6 +515,14 @@ public class Configuration { "security.password.policy.regexp", ".*"); /** + * Configurable password policy for Ambari users + */ + @Markdown( + description = "Password policy description that is shown to users") + public static final ConfigurationProperty<String> PASSWORD_POLICY_DESCRIPTION = new ConfigurationProperty<>( + "security.password.policy.description", ""); + + /** * Determines whether the Ambari Agent host names should be validated against * a regular expression to ensure that they are well-formed. */ @@ -2634,6 +2643,17 @@ public class Configuration { } /** + * Validate password policy regexp syntax + * @throws java.util.regex.PatternSyntaxException If the expression's syntax is invalid + */ + public void validatePasswordPolicyRegexp() { + String regexp = getPasswordPolicyRegexp(); + if (!StringUtils.isEmpty(regexp) && !regexp.equalsIgnoreCase(".*")) { + Pattern.compile(regexp); + } + } + + /** * Ldap username collision handling behavior. * ADD - append the new LDAP entry to the set of existing authentication methods. * CONVERT - remove all authentication methods except for the new LDAP entry. @@ -4017,6 +4037,13 @@ public class Configuration { return getProperty(PASSWORD_POLICY_REGEXP); } + /** + * @return Password policy explanation according to regexp + */ + public String getPasswordPolicyDescription() { + return getProperty(PASSWORD_POLICY_DESCRIPTION); + } + public JPATableGenerationStrategy getJPATableGenerationStrategy() { return JPATableGenerationStrategy.fromString( System.getProperty(SERVER_JDBC_GENERATE_TABLES.getKey())); diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index b97e984..bd99527 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -1088,6 +1088,7 @@ public class AmbariServer { // check if this instance is the active instance Configuration config = injector.getInstance(Configuration.class); + config.validatePasswordPolicyRegexp(); if (!config.isActiveInstance()) { String errMsg = "This instance of ambari server is not designated as active. Cannot start ambari server." + "The property active.instance is set to false in ambari.properties"; diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java index 3f81c52..13f7a92 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java @@ -1760,7 +1760,7 @@ public class Users { } String regexp = configuration.getPasswordPolicyRegexp(); if (!StringUtils.isEmpty(regexp) && (!Pattern.matches(regexp,password))) { - final String msg = "The password does not meet the Ambari user password policy regexp:" + regexp; + final String msg = "The password does not meet the Ambari user password policy : " + configuration.getPasswordPolicyDescription(); throw new IllegalArgumentException(msg); } } diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java index 24cd6d7..da47027 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java @@ -229,11 +229,12 @@ public class TestUsers { //Minimum eight characters, at least one letter and one number: configuration.setProperty(Configuration.PASSWORD_POLICY_REGEXP, "^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{8,}$"); + configuration.setProperty(Configuration.PASSWORD_POLICY_DESCRIPTION, "test description"); try { users.modifyAuthentication(foundLocalAuthenticationEntity, "user", "abc123", false); fail("Should not pass validation"); } catch (IllegalArgumentException e) { - assertEquals("The password does not meet the Ambari user password policy regexp:^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{8,}$", e.getLocalizedMessage()); + assertEquals("The password does not meet the Ambari user password policy : test description", e.getLocalizedMessage()); } users.modifyAuthentication(foundLocalAuthenticationEntity, "user", "abcd1234", false); }