This is an automated email from the ASF dual-hosted git repository.
dmitriusan pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new a9b6703 AMBARI-25268. implement configurable password policy for
Ambari users - additional improvements (dlysnichenko) (#3034)
a9b6703 is described below
commit a9b6703f484715e0a7fac8cb0fb997e25f54b9bf
Author: Lisnichenko Dmitro <[email protected]>
AuthorDate: Tue Jun 25 14:17:46 2019 +0300
AMBARI-25268. implement configurable password policy for Ambari users -
additional improvements (dlysnichenko) (#3034)
---
.../ambari/server/configuration/Configuration.java | 27 ++++++++++++++++++++++
.../ambari/server/controller/AmbariServer.java | 1 +
.../server/security/authorization/Users.java | 2 +-
.../server/security/authorization/TestUsers.java | 3 ++-
4 files changed, 31 insertions(+), 2 deletions(-)
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index c4f7c08..1541bb2 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -50,6 +50,7 @@ import java.util.concurrent.BlockingQueue;
import java.util.concurrent.Callable;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
import org.apache.ambari.annotations.Experimental;
import org.apache.ambari.annotations.ExperimentalFeature;
@@ -514,6 +515,14 @@ public class Configuration {
"security.password.policy.regexp", ".*");
/**
+ * Configurable password policy for Ambari users
+ */
+ @Markdown(
+ description = "Password policy description that is shown to users")
+ public static final ConfigurationProperty<String>
PASSWORD_POLICY_DESCRIPTION = new ConfigurationProperty<>(
+ "security.password.policy.description", "");
+
+ /**
* Determines whether the Ambari Agent host names should be validated against
* a regular expression to ensure that they are well-formed.
*/
@@ -2634,6 +2643,17 @@ public class Configuration {
}
/**
+ * Validate password policy regexp syntax
+ * @throws java.util.regex.PatternSyntaxException If the expression's syntax
is invalid
+ */
+ public void validatePasswordPolicyRegexp() {
+ String regexp = getPasswordPolicyRegexp();
+ if (!StringUtils.isEmpty(regexp) && !regexp.equalsIgnoreCase(".*")) {
+ Pattern.compile(regexp);
+ }
+ }
+
+ /**
* Ldap username collision handling behavior.
* ADD - append the new LDAP entry to the set of existing authentication
methods.
* CONVERT - remove all authentication methods except for the new LDAP entry.
@@ -4017,6 +4037,13 @@ public class Configuration {
return getProperty(PASSWORD_POLICY_REGEXP);
}
+ /**
+ * @return Password policy explanation according to regexp
+ */
+ public String getPasswordPolicyDescription() {
+ return getProperty(PASSWORD_POLICY_DESCRIPTION);
+ }
+
public JPATableGenerationStrategy getJPATableGenerationStrategy() {
return JPATableGenerationStrategy.fromString(
System.getProperty(SERVER_JDBC_GENERATE_TABLES.getKey()));
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index b97e984..bd99527 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -1088,6 +1088,7 @@ public class AmbariServer {
// check if this instance is the active instance
Configuration config = injector.getInstance(Configuration.class);
+ config.validatePasswordPolicyRegexp();
if (!config.isActiveInstance()) {
String errMsg = "This instance of ambari server is not designated as
active. Cannot start ambari server." +
"The property active.instance is set to false in
ambari.properties";
diff --git
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
index 3f81c52..13f7a92 100644
---
a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
+++
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java
@@ -1760,7 +1760,7 @@ public class Users {
}
String regexp = configuration.getPasswordPolicyRegexp();
if (!StringUtils.isEmpty(regexp) && (!Pattern.matches(regexp,password))) {
- final String msg = "The password does not meet the Ambari user password
policy regexp:" + regexp;
+ final String msg = "The password does not meet the Ambari user password
policy : " + configuration.getPasswordPolicyDescription();
throw new IllegalArgumentException(msg);
}
}
diff --git
a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
index 24cd6d7..da47027 100644
---
a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
+++
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java
@@ -229,11 +229,12 @@ public class TestUsers {
//Minimum eight characters, at least one letter and one number:
configuration.setProperty(Configuration.PASSWORD_POLICY_REGEXP,
"^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{8,}$");
+ configuration.setProperty(Configuration.PASSWORD_POLICY_DESCRIPTION, "test
description");
try {
users.modifyAuthentication(foundLocalAuthenticationEntity, "user",
"abc123", false);
fail("Should not pass validation");
} catch (IllegalArgumentException e) {
- assertEquals("The password does not meet the Ambari user password policy
regexp:^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{8,}$", e.getLocalizedMessage());
+ assertEquals("The password does not meet the Ambari user password policy
: test description", e.getLocalizedMessage());
}
users.modifyAuthentication(foundLocalAuthenticationEntity, "user",
"abcd1234", false);
}
