Repository: ranger Updated Branches: refs/heads/master fe854a061 -> c8f67ce7c
RANGER-2041 : Handle validations for passwords of admin accounts during ranger install. Signed-off-by: Mehul Parikh <me...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/c8f67ce7 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/c8f67ce7 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/c8f67ce7 Branch: refs/heads/master Commit: c8f67ce7c9314867b6481ee10e82ed19b15f37e8 Parents: fe854a0 Author: fatimaawez <fatimakhan4...@gmail.com> Authored: Sat Apr 7 15:34:35 2018 +0530 Committer: Mehul Parikh <me...@apache.org> Committed: Mon Apr 9 11:28:57 2018 +0530 ---------------------------------------------------------------------- security-admin/scripts/changepasswordutil.py | 3 ++- security-admin/scripts/db_setup.py | 10 ++++---- security-admin/scripts/dba_script.py | 19 ++++++++++++-- security-admin/scripts/install.properties | 1 + security-admin/scripts/setup.sh | 8 +++--- .../patch/cliutil/ChangePasswordUtil.java | 26 ++++++++++++++++++++ 6 files changed, 55 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/changepasswordutil.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/changepasswordutil.py b/security-admin/scripts/changepasswordutil.py index 95bd613..6c73ed3 100644 --- a/security-admin/scripts/changepasswordutil.py +++ b/security-admin/scripts/changepasswordutil.py @@ -109,7 +109,8 @@ def main(argv): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s/*")%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home,ews_lib) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s"%(JAVA_BIN,ranger_log,path,'ChangePasswordUtil',userName,oldPassword,newPassword) + get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s"%(JAVA_BIN,ranger_log,path, +'ChangePasswordUtil','"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"') if os_name == "LINUX": ret = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 83ccc32..b8664d2 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -649,7 +649,7 @@ class MysqlConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"') if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -1363,7 +1363,7 @@ class OracleConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"') if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -2032,7 +2032,7 @@ class PostgresConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"') if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -2663,7 +2663,7 @@ class SqlServerConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"') if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -3307,7 +3307,7 @@ class SqlAnywhereConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,'"'+userName+'"','"'+oldPassword+'"','"'+newPassword+'"') if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/dba_script.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index d5eaaf0..69fff41 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -124,6 +124,11 @@ def password_validation(password, userType): log("[E] Blank password is not allowed,please enter valid password.","error") sys.exit(1) +def validateDefaultUsersPassword(password, userName): + if not re.search(r'(?=.*[0-9])(?=.*[a-zA-Z])', password) or len(password)<8 or re.search("[\\\`'\"]",password): + log("[E] validatePassword()."+userName+ " password change failed. Password should be minimum 8 characters with minimum one alphabet and one numeric. Unsupported special characters are \" ' \ `","error") + sys.exit(1) + def jisql_log(query, db_root_password): if jisql_debug == True: if os_name == "WINDOWS": @@ -1397,7 +1402,6 @@ class SqlAnywhereConf(BaseDB): logFile("# Login to SQL Anywhere Server from '%s' user on '%s' database to execute below sql statements."%(db_user,audit_db_name)) logFile("GRANT CONNECT to %s IDENTIFIED BY '%s';" %(audit_db_user, audit_db_password)) - def main(argv): FORMAT = '%(asctime)-15s %(message)s' @@ -1442,7 +1446,18 @@ def main(argv): else: log("[E] Invalid file Name! Unable to find file:"+dba_sql_file,"error") sys.exit(1) - + rangerAdmin_password = globalDict['rangerAdmin_password'] + if ( rangerAdmin_password != '' ) and (rangerAdmin_password != "admin" ): + validateDefaultUsersPassword(rangerAdmin_password,"admin"); + rangerTagsync_password = globalDict['rangerTagsync_password'] + if ( rangerTagsync_password != '' ) and (rangerTagsync_password != "rangertagsync" ): + validateDefaultUsersPassword(rangerTagsync_password,"rangertagsync"); + rangerUsersync_password = globalDict['rangerUsersync_password'] + if ( rangerUsersync_password != '' ) and (rangerUsersync_password != "rangerusersync" ): + validateDefaultUsersPassword(rangerUsersync_password,"rangerusersync"); + keyadmin_password = globalDict['keyadmin_password'] + if ( keyadmin_password != '' ) and (keyadmin_password != "keyadmin" ): + validateDefaultUsersPassword(keyadmin_password,"keyadmin"); log("[I] Running DBA setup script. QuiteMode:" + str(quiteMode),"info") if (quiteMode): if (not 'JAVA_HOME' in os.environ) or (os.environ['JAVA_HOME'] == ""): http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/install.properties ---------------------------------------------------------------------- diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 8128678..34c52eb 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -70,6 +70,7 @@ db_user=rangeradmin db_password= # change password. Password for below mentioned users can be changed only once using this property. +#PLEASE NOTE :: Password should be minimum 8 characters with min one alphabet and one numeric. rangerAdmin_password= rangerTagsync_password= rangerUsersync_password= http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index f79a79e..45bc918 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1377,17 +1377,17 @@ setup_install_files(){ fi } python_command_for_change_password(){ - $PYTHON_COMMAND_INVOKER db_setup.py -changepassword $1 $2 $3 + $PYTHON_COMMAND_INVOKER db_setup.py -changepassword "${1}" "${2}" "${3}" } change_default_users_password(){ - if [ "${rangerAdmin_password}" != '' ] && [ "${rangerAdmin_password}" != "admin" ] + if [ "${rangerAdmin_password}" != '' ] && [ "${rangerAdmin_password}" != "admin" ] then - python_command_for_change_password 'admin' 'admin' "$rangerAdmin_password" + python_command_for_change_password 'admin' 'admin' "$rangerAdmin_password" fi if [ "${rangerTagsync_password}" != "" ] && [ "${rangerTagsync_password}" != "rangertagsync" ] then - python_command_for_change_password 'rangertagsync' 'rangertagsync' "$rangerTagsync_password" + python_command_for_change_password 'rangertagsync' 'rangertagsync' "$rangerTagsync_password" fi if [ "${rangerUsersync_password}" != "" ] && [ "${rangerUsersync_password}" != "rangerusersync" ] then http://git-wip-us.apache.org/repos/asf/ranger/blob/c8f67ce7/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java index e7a4035..9d3ce59 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java @@ -20,6 +20,8 @@ package org.apache.ranger.patch.cliutil; import org.apache.log4j.Logger; import org.apache.ranger.biz.UserMgr; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.patch.BaseLoader; @@ -38,6 +40,9 @@ public class ChangePasswordUtil extends BaseLoader { @Autowired UserMgr userMgr; + @Autowired + RESTErrorUtil restErrorUtil; + public static String userLoginId; public static String currentPassword; public static String newPassword; @@ -49,6 +54,7 @@ public class ChangePasswordUtil extends BaseLoader { ChangePasswordUtil loader = (ChangePasswordUtil) CLIUtil.getBean(ChangePasswordUtil.class); loader.init(); if (args.length == 3 || args.length == 4) { + userLoginId = args[0]; currentPassword = args[1]; newPassword = args[2]; @@ -109,9 +115,12 @@ public class ChangePasswordUtil extends BaseLoader { if (xPortalUser!=null){ String dbPassword=xPortalUser.getPassword(); String currentEncryptedPassword=null; + try { + currentEncryptedPassword=userMgr.encrypt(userLoginId, currentPassword); if (currentEncryptedPassword.equals(dbPassword)){ + validatePassword(newPassword); userMgr.updatePasswordInSHA256(userLoginId,newPassword,true); logger.info("User '"+userLoginId+"' Password updated sucessfully."); }else if (!currentEncryptedPassword.equals(dbPassword) && defaultPwdChangeRequest){ @@ -135,4 +144,21 @@ public class ChangePasswordUtil extends BaseLoader { System.exit(1); } } + private void validatePassword(String newPassword) { + boolean checkPassword = false; + if (newPassword != null ) { + String pattern = "(?=.*[0-9])(?=.*[a-zA-Z]).{8,}"; + checkPassword = newPassword.trim().matches(pattern); + if (!checkPassword) { + logger.error("validatePassword(). Password should be minimum 8 characters with minimum one alphabet and one numeric."); + System.out.println("validatePassword(). Password should be minimum 8 characters with minimum one alphabet and one numeric."); + throw restErrorUtil.createRESTException("serverMsg.changePasswordValidatePassword", MessageEnums.INVALID_PASSWORD, null, "Password should be minimum 8 characters with minimum one alphabet and one numeric", null); + } + } else { + logger.error("validatePassword(). Password cannot be blank/null."); + System.out.println("validatePassword(). Password cannot be blank/null."); + throw restErrorUtil.createRESTException("serverMsg.changePasswordValidatePassword", MessageEnums.INVALID_PASSWORD, null, "Password cannot be blank/null", null); + } + } + }