Repository: ranger Updated Branches: refs/heads/master fbaa4537c -> 2b9f76e81
RANGER-2041 : Handle validations for passwords of admin accounts during ranger install (make default passwords mandatory during install) Signed-off-by: Mehul Parikh <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/2b9f76e8 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/2b9f76e8 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/2b9f76e8 Branch: refs/heads/master Commit: 2b9f76e818e404ae824b40479f6c3cb84d870a92 Parents: fbaa453 Author: fatimaawez <[email protected]> Authored: Wed Apr 25 13:34:40 2018 +0530 Committer: Mehul Parikh <[email protected]> Committed: Mon Apr 30 19:30:43 2018 +0530 ---------------------------------------------------------------------- security-admin/scripts/db_setup.py | 101 ++++++++++++++++++++++++++++++ security-admin/scripts/dba_script.py | 18 +----- security-admin/scripts/setup.sh | 38 ++++++++--- 3 files changed, 132 insertions(+), 25 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/2b9f76e8/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 2cbe665..f123dff 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -189,6 +189,9 @@ class BaseDB(object): def import_core_db_schema(self, db_name, db_user, db_password, file_name,first_table,last_table): log("[I] ---------- Importing Core DB Schema ----------", "info") + def is_new_install(xa_db_host, db_user, db_password, db_name): + log("[I] ----------------- Checking Ranger Version ------------", "info") + class MysqlConf(BaseDB): # Constructor def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type): @@ -838,6 +841,25 @@ class MysqlConf(BaseDB): else: log("[I] "+ version +" status entry to x_db_version_h table completed", "info") + def is_new_install(self, xa_db_host, db_user, db_password, db_name): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if is_unix: + query = get_cmd + " -query \"SELECT version();\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT version();\" -c ;" + output = check_output(query) + if not output.strip('Production |'): + sys.exit(0) + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + version="J10001" + if is_unix: + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if not output.strip(version + " |"): + sys.exit(0) + class OracleConf(BaseDB): # Constructor def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): @@ -1552,6 +1574,25 @@ class OracleConf(BaseDB): else: log("[I] "+ version +" status entry to x_db_version_h table completed", "info") + def is_new_install(self, xa_db_host, db_user, db_password, db_name): + get_cmd = self.get_jisql_cmd(db_user, db_password) + if is_unix: + query = get_cmd + " -c \; -query \"select * from v$version;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select * from v$version;\" -c ;" + output = check_output(query) + if not output.strip('Production |'): + sys.exit(0) + get_cmd = self.get_jisql_cmd(db_user, db_password) + version="J10001" + if is_unix: + query = get_cmd + " -c \; -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if not output.strip(version + " |"): + sys.exit(0) + class PostgresConf(BaseDB): # Constructor def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type): @@ -2241,6 +2282,25 @@ class PostgresConf(BaseDB): else: log("[I] "+ version +" status entry to x_db_version_h table completed", "info") + def is_new_install(self, xa_db_host, db_user, db_password, db_name): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if is_unix: + query = get_cmd + " -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if not output.strip('1 |'): + sys.exit(0) + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + version="J10001" + if is_unix: + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if not output.strip(version + " |"): + sys.exit(0) + class SqlServerConf(BaseDB): # Constructor def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): @@ -2872,6 +2932,25 @@ class SqlServerConf(BaseDB): else: log("[I] "+ version +" status entry to x_db_version_h table completed", "info") + def is_new_install(self, xa_db_host, db_user, db_password, db_name): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if is_unix: + query = get_cmd + " -c \; -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if not output.strip('1 |'): + sys.exit(0) + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + version="J10001" + if is_unix: + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c \;" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if not output.strip(version + " |"): + sys.exit(0) + class SqlAnywhereConf(BaseDB): # Constructor def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): @@ -3516,6 +3595,25 @@ class SqlAnywhereConf(BaseDB): else: log("[I] "+ version +" status entry to x_db_version_h table completed", "info") + def is_new_install(self, xa_db_host, db_user, db_password, db_name): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if is_unix: + query = get_cmd + " -c \; -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if not output.strip('1 |'): + sys.exit(0) + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + version="J10001" + if is_unix: + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c \;" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if not output.strip(version + " |"): + sys.exit(0) + def main(argv): populate_global_dict() @@ -3798,6 +3896,9 @@ def main(argv): else: log("[I] JAVA_PATCHES have already been applied","info") + if str(argv[i]) == "-checkupgrade": + xa_sqlObj.is_new_install(xa_db_host, db_user, db_password, db_name) + if str(argv[i]) == "-changepassword": if len(argv)==5: userName=argv[2] http://git-wip-us.apache.org/repos/asf/ranger/blob/2b9f76e8/security-admin/scripts/dba_script.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 4a57bba..e889529 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -124,11 +124,6 @@ def password_validation(password, userType): log("[E] Blank password is not allowed,please enter valid password.","error") sys.exit(1) -def validateDefaultUsersPassword(password, userName): - if not re.search(r'(?=.*[0-9])(?=.*[a-zA-Z])', password) or len(password)<8 or re.search("[\\\`'\"]",password): - log("[E] validatePassword()."+userName+ " password change failed. Password should be minimum 8 characters with minimum one alphabet and one numeric. Unsupported special characters are \" ' \ `","error") - sys.exit(1) - def jisql_log(query, db_root_password): if jisql_debug == True: if os_name == "WINDOWS": @@ -1465,18 +1460,7 @@ def main(argv): else: log("[E] Invalid file Name! Unable to find file:"+dba_sql_file,"error") sys.exit(1) - rangerAdmin_password = globalDict['rangerAdmin_password'] - if ( rangerAdmin_password != '' ) and (rangerAdmin_password != "admin" ): - validateDefaultUsersPassword(rangerAdmin_password,"admin"); - rangerTagsync_password = globalDict['rangerTagsync_password'] - if ( rangerTagsync_password != '' ) and (rangerTagsync_password != "rangertagsync" ): - validateDefaultUsersPassword(rangerTagsync_password,"rangertagsync"); - rangerUsersync_password = globalDict['rangerUsersync_password'] - if ( rangerUsersync_password != '' ) and (rangerUsersync_password != "rangerusersync" ): - validateDefaultUsersPassword(rangerUsersync_password,"rangerusersync"); - keyadmin_password = globalDict['keyadmin_password'] - if ( keyadmin_password != '' ) and (keyadmin_password != "keyadmin" ): - validateDefaultUsersPassword(keyadmin_password,"keyadmin"); + log("[I] Running DBA setup script. QuiteMode:" + str(quiteMode),"info") if (quiteMode): if (not 'JAVA_HOME' in os.environ) or (os.environ['JAVA_HOME'] == ""): http://git-wip-us.apache.org/repos/asf/ranger/blob/2b9f76e8/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 45bc918..76baa4c 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -287,6 +287,9 @@ run_dba_steps(){ python dba_script.py -q fi } +check_ranger_version(){ + $PYTHON_COMMAND_INVOKER db_setup.py -checkupgrade +} check_db_connector() { log "[I] Checking ${DB_FLAVOR} CONNECTOR FILE : ${SQL_CONNECTOR_JAR}" if test -f "$SQL_CONNECTOR_JAR"; then @@ -1379,23 +1382,34 @@ setup_install_files(){ python_command_for_change_password(){ $PYTHON_COMMAND_INVOKER db_setup.py -changepassword "${1}" "${2}" "${3}" } +validateDefaultUsersPassword(){ + if [ "${2}" == "" ] + then + log "[E] validatePassword(). Password for ${1} user cannot be blank" + exit 1 + elif ! [[ ${#2} -ge 8 && "$2" =~ [A-Za-z] && "$2" =~ [0-9] ]] || [[ "${2}" =~ [\"\`\\"'"] ]] + then + log "[E] validatePassword(). ${1} password change failed. Password should be minimum 8 characters with minimum one alphabet and one numeric. Unsupported special characters are \\\`'\"" + exit 1 + fi +} change_default_users_password(){ - if [ "${rangerAdmin_password}" != '' ] && [ "${rangerAdmin_password}" != "admin" ] + if [ "${rangerAdmin_password}" != "admin" ] then - python_command_for_change_password 'admin' 'admin' "$rangerAdmin_password" + python_command_for_change_password 'admin' 'admin' "${rangerAdmin_password}" fi - if [ "${rangerTagsync_password}" != "" ] && [ "${rangerTagsync_password}" != "rangertagsync" ] + if [ "${rangerTagsync_password}" != "rangertagsync" ] then - python_command_for_change_password 'rangertagsync' 'rangertagsync' "$rangerTagsync_password" + python_command_for_change_password 'rangertagsync' 'rangertagsync' "${rangerTagsync_password}" fi - if [ "${rangerUsersync_password}" != "" ] && [ "${rangerUsersync_password}" != "rangerusersync" ] + if [ "${rangerUsersync_password}" != "rangerusersync" ] then - python_command_for_change_password 'rangerusersync' 'rangerusersync' "$rangerUsersync_password" + python_command_for_change_password 'rangerusersync' 'rangerusersync' "${rangerUsersync_password}" fi - if [ "${keyadmin_password}" != "" ] && [ "${keyadmin_password}" != "keyadmin" ] + if [ "${keyadmin_password}" != "keyadmin" ] then - python_command_for_change_password 'keyadmin' 'keyadmin' "$keyadmin_password" + python_command_for_change_password 'keyadmin' 'keyadmin' "${keyadmin_password}" fi } log " --------- Running Ranger PolicyManager Web Application Install Script --------- " @@ -1410,6 +1424,14 @@ setup_install_files sanity_check_files copy_db_connector check_python_command +check_ranger_version +if [ "$?" != "0" ] +then + validateDefaultUsersPassword 'admin' "${rangerAdmin_password}" + validateDefaultUsersPassword 'rangertagsync' "${rangerTagsync_password}" + validateDefaultUsersPassword 'rangerusersync' "${rangerUsersync_password}" + validateDefaultUsersPassword 'keyadmin' "${keyadmin_password}" +fi run_dba_steps if [ "$?" == "0" ] then
