Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 c0a5f531e -> 47c1f94ff
RANGER-701 : Update setup scripts to allow special characters in passwords Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/47c1f94f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/47c1f94f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/47c1f94f Branch: refs/heads/ranger-0.5 Commit: 47c1f94ff1e92491a1583119936eccb36849cb71 Parents: c0a5f53 Author: Gautam Borad <[email protected]> Authored: Mon Oct 26 13:46:42 2015 +0530 Committer: Gautam Borad <[email protected]> Committed: Mon Oct 26 15:01:21 2015 +0530 ---------------------------------------------------------------------- kms/scripts/db_setup.py | 14 +- kms/scripts/dba_script.py | 23 ++- kms/scripts/setup.sh | 158 +++++++++++----- security-admin/scripts/db_setup.py | 16 +- security-admin/scripts/dba_script.py | 28 ++- security-admin/scripts/set_globals.sh | 26 ++- security-admin/scripts/setup.sh | 180 ++++++++++++++----- .../org/apache/ranger/common/RESTErrorUtil.java | 26 +++ .../service/AbstractBaseResourceService.java | 5 +- .../views/permissions/ModulePermissionCreate.js | 1 - .../webapp/scripts/views/users/GroupCreate.js | 3 +- .../webapp/scripts/views/users/UserCreate.js | 2 - unixauthservice/scripts/set_globals.sh | 27 ++- unixauthservice/scripts/setup.py | 54 +++--- 14 files changed, 417 insertions(+), 146 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/kms/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py old mode 100755 new mode 100644 index 5e2f950..bdac333 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -100,9 +100,9 @@ class MysqlConf(BaseDB): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -327,9 +327,9 @@ class SqlServerConf(BaseDB): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -392,9 +392,9 @@ class SqlAnywhereConf(BaseDB): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -527,6 +527,8 @@ def main(argv): xa_db_core_file = os.path.join(RANGER_KMS_HOME ,oracle_core_file) elif XA_DB_FLAVOR == "POSTGRES": + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME , postgres_core_file) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/kms/scripts/dba_script.py ---------------------------------------------------------------------- diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index 950b8c3..d1da5d1 100755 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -94,6 +94,17 @@ def logFile(msg): print("Invalid input! Provide file path to write DBA scripts:") sys.exit() +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error") + sys.exit(1) + else: + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) + class BaseDB(object): def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): @@ -866,9 +877,9 @@ class SqlAnywhereConf(BaseDB): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): if dryMode == False: @@ -1036,6 +1047,10 @@ def main(argv): dryMode=False is_revoke=False + if len(argv) == 3: + password_validation(argv[1],argv[2]); + return; + if len(argv) > 1: for i in range(len(argv)): if str(argv[i]) == "-q": @@ -1200,6 +1215,8 @@ def main(argv): xa_db_core_file = os.path.join(RANGER_KMS_HOME,oracle_core_file) elif XA_DB_FLAVOR == "POSTGRES": + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME,postgres_core_file) @@ -1222,6 +1239,8 @@ def main(argv): log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) + log("[I] ---------- Verifing Ranger KMS db user password ---------- ","info") + password_validation(db_password,"KMS"); # Methods Begin if DBA_MODE == "TRUE" : http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/kms/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 96bf6a0..94b6e23 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -31,10 +31,6 @@ then exit 1; fi -eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'` - -DB_HOST="${db_host}" - usage() { [ "$*" ] && echo "$0: $*" sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0" @@ -46,6 +42,50 @@ log() { echo "${prefix} $@" >> $LOGFILE echo "${prefix} $@" } +#eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'` +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} + +PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) +DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) +SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE) +SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) +db_root_user=$(get_prop 'db_root_user' $PROPFILE) +db_root_password=$(get_prop 'db_root_password' $PROPFILE) +db_host=$(get_prop 'db_host' $PROPFILE) +db_name=$(get_prop 'db_name' $PROPFILE) +db_user=$(get_prop 'db_user' $PROPFILE) +db_password=$(get_prop 'db_password' $PROPFILE) +KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE) +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) +POLICY_MGR_URL=$(get_prop 'POLICY_MGR_URL' $PROPFILE) +REPOSITORY_NAME=$(get_prop 'REPOSITORY_NAME' $PROPFILE) +SSL_KEYSTORE_FILE_PATH=$(get_prop 'SSL_KEYSTORE_FILE_PATH' $PROPFILE) +SSL_KEYSTORE_PASSWORD=$(get_prop 'SSL_KEYSTORE_PASSWORD' $PROPFILE) +SSL_TRUSTSTORE_FILE_PATH=$(get_prop 'SSL_TRUSTSTORE_FILE_PATH' $PROPFILE) +SSL_TRUSTSTORE_PASSWORD=$(get_prop 'SSL_TRUSTSTORE_PASSWORD' $PROPFILE) +KMS_DIR=$(eval echo "$(get_prop 'KMS_DIR' $PROPFILE)") +app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)") +TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)") +LOGFILE=$(eval echo "$(get_prop 'LOGFILE' $PROPFILE)") +LOGFILES=$(eval echo "$(get_prop 'LOGFILES' $PROPFILE)") +JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE) +JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE) +JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE) +mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE) +oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE) +postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE) +sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE) +sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE) +cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)") +KMS_BLACKLIST_DECRYPT_EEK=$(get_prop 'KMS_BLACKLIST_DECRYPT_EEK' $PROPFILE) + +DB_HOST="${db_host}" check_ret_status(){ if [ $1 -ne 0 ]; then @@ -82,29 +122,25 @@ get_distro(){ #Get Properties from File without erroring out if property is not there #$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound getPropertyFromFileNoExit(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then - log "[E] '$1' not found in $2 file while getting....!!"; - if [ $4 == "true" ] ; then - exit 1; - else - value="" - fi - else - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - fi - #echo 'value:'$value + log "[E] '$1' not found in $2 file while getting....!!"; + if [ $4 == "true" ] ; then + exit 1; + else + value="" + fi + else + value=$(echo $validateProperty | cut -d "=" -f2-) + fi eval $3="'$value'" } #Get Properties from File #$1 -> propertyName $2 -> fileName $3 -> variableName getPropertyFromFile(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - #echo 'value:'$value - #validate=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation - #if test -z "$validate" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) eval $3="'$value'" } @@ -132,7 +168,21 @@ init_logfiles () { touch $f done } - +password_validation() { + if [ -z "$1" ] + then + log "[I] Blank password is not allowed for" $2". Please enter valid password." + exit 1 + else + if [[ $1 =~ [\"\'\`\\\] ]] + then + log "[E]" $2 "password contains one of the unsupported special characters:\" ' \` \\" + exit 1 + else + log "[I]" $2 "password validated." + fi + fi +} init_variables(){ curDt=`date '+%Y%m%d%H%M%S'` @@ -157,11 +207,11 @@ init_variables(){ DB_FLAVOR="MYSQL" fi log "[I] DB_FLAVOR=${DB_FLAVOR}" - - getPropertyFromFile 'db_root_user' $PROPFILE db_root_user - getPropertyFromFile 'db_root_password' $PROPFILE db_user - getPropertyFromFile 'db_user' $PROPFILE db_user - getPropertyFromFile 'db_password' $PROPFILE db_password + password_validation "$KMS_MASTER_KEY_PASSWD" "KMS Master key" + #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user + #getPropertyFromFile 'db_root_password' $PROPFILE db_user + #getPropertyFromFile 'db_user' $PROPFILE db_user + #getPropertyFromFile 'db_password' $PROPFILE db_password #if [ -L ${CONF_FILE} ] # then @@ -345,11 +395,6 @@ update_properties() { log "[E] $to_file does not exists" ; exit 1; fi - - propertyName=ranger.ks.jpa.jdbc.user - newPropertyValue="${db_user}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file - if [ "${DB_FLAVOR}" == "MYSQL" ] then propertyName=ranger.ks.jpa.jdbc.url @@ -382,6 +427,9 @@ update_properties() { fi if [ "${DB_FLAVOR}" == "POSTGRES" ] then + db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'` + db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'` + propertyName=ranger.ks.jpa.jdbc.url newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file @@ -424,6 +472,10 @@ update_properties() { newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" updatePropertyToFilePy $propertyName $newPropertyValue $to_file fi + propertyName=ranger.ks.jpa.jdbc.user + newPropertyValue="${db_user}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + keystore="${cred_keystore_filename}" echo "Starting configuration for XA DB credentials:" @@ -438,8 +490,10 @@ update_properties() { then mkdir -p `dirname "${keystore}"` - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${DB_CREDENTIAL_ALIAS}" -v "${db_password}" -c 1 + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${MK_CREDENTIAL_ALIAS}" -v "${KMS_MASTER_KEY_PASSWD}" -c 1 + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore propertyName=ranger.ks.jpa.jdbc.credential.alias newPropertyValue="${DB_CREDENTIAL_ALIAS}" @@ -524,23 +578,24 @@ setup_install_files(){ if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf + cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf fi - cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf/ + fi if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib + fi + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib fi if [ -d /etc/init.d ]; then log "[I] Setting up init.d" cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS} - if [ "${unix_user}" != "kms" ]; then - sed 's/LINUX_USER=kms/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS} - fi chmod ug+rx /etc/init.d/${RANGER_KMS} if [ -d /etc/rc2.d ] @@ -579,16 +634,20 @@ setup_install_files(){ ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} fi fi + if [ -f /etc/init.d/${RANGER_KMS} ]; then + if [ "${unix_user}" != "" ]; then + sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS} + fi + fi if [ ! -d ${KMS_DIR}/ews/logs ]; then log "[I] ${KMS_DIR}/ews/logs folder" mkdir -p ${KMS_DIR}/ews/logs - chown -R ${unix_user} ${KMS_DIR}/ews/logs fi - if [ -d ${KMS_DIR}/ews/logs ]; then chown -R ${unix_user} ${KMS_DIR}/ews/logs fi + log "[I] Setting up installation files and directory DONE"; if [ ! -f ${INSTALL_DIR}/rpm ]; then @@ -617,13 +676,17 @@ setup_install_files(){ ln -sf ${INSTALL_DIR}/ranger-kms-initd ${INSTALL_DIR}/ranger-kms-services.sh chmod ug+rx ${INSTALL_DIR}/ranger-kms-services.sh fi - - if [ ! -d /var/log/ranger/kms ] - then + if [ ! -d /var/log/ranger/kms ]; then mkdir -p /var/log/ranger/kms + if [ -d ews/logs ]; then + cp -r ews/logs/* /var/log/ranger/kms + fi + fi + if [ -d /var/log/ranger/kms ]; then + chmod 755 /var/log/ranger/kms + chown -R $unix_user:$unix_group /var/log/ranger/kms fi - chgrp ${unix_group} /var/log/ranger/kms - chmod g+rwx /var/log/ranger/kms + } init_logfiles @@ -640,7 +703,12 @@ sanity_check_files copy_db_connector check_python_command run_dba_steps -$PYTHON_COMMAND_INVOKER db_setup.py +if [ "$?" == "0" ] +then + $PYTHON_COMMAND_INVOKER db_setup.py +else + exit 1 +fi if [ "$?" == "0" ] then update_properties http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 1edc628..07a0655 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -161,9 +161,9 @@ class MysqlConf(BaseDB): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -939,9 +939,9 @@ class SqlServerConf(BaseDB): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -1173,9 +1173,9 @@ class SqlAnywhereConf(BaseDB): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -1506,6 +1506,8 @@ def main(argv): audit_patch_file = os.path.join(RANGER_ADMIN_HOME ,oracle_auditdb_patches) elif XA_DB_FLAVOR == "POSTGRES": + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , postgres_dbversion_catalog) @@ -1548,6 +1550,8 @@ def main(argv): audit_db_file = os.path.join(RANGER_ADMIN_HOME , oracle_audit_file) elif AUDIT_DB_FLAVOR == "POSTGRES": + audit_db_user=audit_db_user.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME , postgres_audit_file) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/scripts/dba_script.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 4fd5593..40a6c49 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -96,6 +96,17 @@ def logFile(msg): print("Invalid input! Provide file path to write DBA scripts:") sys.exit() +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error") + sys.exit(1) + else: + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) + class BaseDB(object): def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): @@ -1085,9 +1096,9 @@ class SqlAnywhereConf(BaseDB): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -1270,6 +1281,10 @@ def main(argv): dryMode=False is_revoke=False + if len(argv) == 3: + password_validation(argv[1],argv[2]); + return; + if len(argv) > 1: for i in range(len(argv)): if str(argv[i]) == "-q": @@ -1503,6 +1518,8 @@ def main(argv): elif XA_DB_FLAVOR == "POSTGRES": #POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] #POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar' + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,postgres_dbversion_catalog) @@ -1553,6 +1570,8 @@ def main(argv): elif AUDIT_DB_FLAVOR == "POSTGRES": #POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] #POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar' + audit_db_user=audit_db_user.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,postgres_audit_file) @@ -1580,6 +1599,11 @@ def main(argv): if audit_store is None or audit_store == "": audit_store = "db" audit_store=audit_store.lower() + + log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info") + password_validation(db_password,"admin"); + log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") + password_validation(audit_db_password,"audit"); # Methods Begin if DBA_MODE == "TRUE" : if (dryMode==True): http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/scripts/set_globals.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/set_globals.sh b/security-admin/scripts/set_globals.sh index 9a4159c..5e985e2 100755 --- a/security-admin/scripts/set_globals.sh +++ b/security-admin/scripts/set_globals.sh @@ -21,6 +21,20 @@ #This will also create the ranger linux user and groups if required. #This script needs to be run as root +PROPFILE=$PWD/install.properties +propertyValue='' + +if [ ! $? = "0" ];then + log "$PROPFILE file not found....!!"; + exit 1; +fi +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} + if [ ! -w /etc/passwd ]; then echo "ERROR: Please run this script as root" exit 1 @@ -43,8 +57,8 @@ log() { } #Create the ranger users and groups (if needed) -unix_user=ranger -unix_group=ranger +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) groupadd ${unix_group} ret=$? @@ -88,14 +102,14 @@ if [ ! -d /var/log/ranger/admin ]; then if [ -d ews/logs ]; then cp -r ews/logs/* /var/log/ranger/admin fi - chmod 755 /var/log/ranger/admin - chown -R $unix_user:$unix_group /var/log/ranger fi if [ -d /var/log/ranger/admin ]; then - chown -R $unix_user:$unix_group /var/log/ranger/admin + chown -R $unix_user:$unix_group /var/log/ranger + chown -R $unix_user:$unix_group /var/log/ranger/admin + chmod 755 /var/log/ranger + chmod 755 /var/log/ranger/admin fi - mv -f ews/logs ews/webapp/logs.$curDt 2> /dev/null ln -sf /var/log/ranger/admin ews/logs http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index cd5d2bf..11b72b4 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -22,14 +22,11 @@ PROPFILE=$PWD/install.properties propertyValue='' -. $PROPFILE +#. $PROPFILE if [ ! $? = "0" ];then log "$PROPFILE file not found....!!"; exit 1; fi - -DB_HOST="${db_host}" - usage() { [ "$*" ] && echo "$0: $*" sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0" @@ -41,6 +38,77 @@ log() { echo "${prefix} $@" >> $LOGFILE echo "${prefix} $@" } +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} + +PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) +DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) +SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE) +SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) +db_root_user=$(get_prop 'db_root_user' $PROPFILE) +db_root_password=$(get_prop 'db_root_password' $PROPFILE) +db_host=$(get_prop 'db_host' $PROPFILE) +db_name=$(get_prop 'db_name' $PROPFILE) +db_user=$(get_prop 'db_user' $PROPFILE) +db_password=$(get_prop 'db_password' $PROPFILE) +audit_store=$(get_prop 'audit_store' $PROPFILE) +audit_solr_urls=$(get_prop 'audit_solr_urls' $PROPFILE) +audit_solr_user=$(get_prop 'audit_solr_user' $PROPFILE) +audit_solr_password=$(get_prop 'audit_solr_password' $PROPFILE) +audit_solr_zookeepers=$(get_prop 'audit_solr_zookeepers' $PROPFILE) +audit_db_name=$(get_prop 'audit_db_name' $PROPFILE) +audit_db_user=$(get_prop 'audit_db_user' $PROPFILE) +audit_db_password=$(get_prop 'audit_db_password' $PROPFILE) +policymgr_external_url=$(get_prop 'policymgr_external_url' $PROPFILE) +policymgr_http_enabled=$(get_prop 'policymgr_http_enabled' $PROPFILE) +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) +authentication_method=$(get_prop 'authentication_method' $PROPFILE) +remoteLoginEnabled=$(get_prop 'remoteLoginEnabled' $PROPFILE) +authServiceHostName=$(get_prop 'authServiceHostName' $PROPFILE) +authServicePort=$(get_prop 'authServicePort' $PROPFILE) +xa_ldap_url=$(get_prop 'xa_ldap_url' $PROPFILE) +xa_ldap_userDNpattern=$(get_prop 'xa_ldap_userDNpattern' $PROPFILE) +xa_ldap_groupSearchBase=$(get_prop 'xa_ldap_groupSearchBase' $PROPFILE) +xa_ldap_groupSearchFilter=$(get_prop 'xa_ldap_groupSearchFilter' $PROPFILE) +xa_ldap_groupRoleAttribute=$(get_prop 'xa_ldap_groupRoleAttribute' $PROPFILE) +xa_ldap_base_dn=$(get_prop 'xa_ldap_base_dn' $PROPFILE) +xa_ldap_bind_dn=$(get_prop 'xa_ldap_bind_dn' $PROPFILE) +xa_ldap_bind_password=$(get_prop 'xa_ldap_bind_password' $PROPFILE) +xa_ldap_referral=$(get_prop 'xa_ldap_referral' $PROPFILE) +xa_ldap_userSearchFilter=$(get_prop 'xa_ldap_userSearchFilter' $PROPFILE) +xa_ldap_ad_domain=$(get_prop 'xa_ldap_ad_domain' $PROPFILE) +xa_ldap_ad_url=$(get_prop 'xa_ldap_ad_url' $PROPFILE) +xa_ldap_ad_base_dn=$(get_prop 'xa_ldap_ad_base_dn' $PROPFILE) +xa_ldap_ad_bind_dn=$(get_prop 'xa_ldap_ad_bind_dn' $PROPFILE) +xa_ldap_ad_bind_password=$(get_prop 'xa_ldap_ad_bind_password' $PROPFILE) +xa_ldap_ad_referral=$(get_prop 'xa_ldap_ad_referral' $PROPFILE) +xa_ldap_ad_userSearchFilter=$(get_prop 'xa_ldap_ad_userSearchFilter' $PROPFILE) +XAPOLICYMGR_DIR=$(eval echo "$(get_prop 'XAPOLICYMGR_DIR' $PROPFILE)") +app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)") +TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)") +LOGFILE=$(eval echo " $(get_prop 'LOGFILE' $PROPFILE)") +LOGFILES=$(eval echo "$(get_prop 'LOGFILES' $PROPFILE)") +JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE) +JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE) +JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE) +mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE) +mysql_audit_file=$(get_prop 'mysql_audit_file' $PROPFILE) +oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE) +oracle_audit_file=$(get_prop 'oracle_audit_file' $PROPFILE) +postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE) +postgres_audit_file=$(get_prop 'postgres_audit_file' $PROPFILE) +sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE) +sqlserver_audit_file=$(get_prop 'sqlserver_audit_file' $PROPFILE) +sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE) +sqlanywhere_audit_file=$(get_prop 'sqlanywhere_audit_file' $PROPFILE) +cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)") + +DB_HOST="${db_host}" check_ret_status(){ if [ $1 -ne 0 ]; then @@ -77,29 +145,25 @@ get_distro(){ #Get Properties from File without erroring out if property is not there #$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound getPropertyFromFileNoExit(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then - log "[E] '$1' not found in $2 file while getting....!!"; - if [ $4 == "true" ] ; then - exit 1; - else - value="" - fi - else - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - fi - #echo 'value:'$value + log "[E] '$1' not found in $2 file while getting....!!"; + if [ $4 == "true" ] ; then + exit 1; + else + value="" + fi + else + value=$(echo $validateProperty | cut -d "=" -f2-) + fi eval $3="'$value'" } #Get Properties from File #$1 -> propertyName $2 -> fileName $3 -> variableName getPropertyFromFile(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - #echo 'value:'$value - #validate=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation - #if test -z "$validate" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) eval $3="'$value'" } @@ -151,20 +215,20 @@ init_variables(){ fi log "[I] DB_FLAVOR=${DB_FLAVOR}" - getPropertyFromFile 'db_root_user' $PROPFILE db_root_user - getPropertyFromFile 'db_root_password' $PROPFILE db_user - getPropertyFromFile 'db_user' $PROPFILE db_user - getPropertyFromFile 'db_password' $PROPFILE db_password - if [ "${audit_store}" == "solr" ] - then - getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls - getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user - getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password - getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers - else - getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user - getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password - fi + #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user + #getPropertyFromFile 'db_root_password' $PROPFILE db_user + #getPropertyFromFile 'db_user' $PROPFILE db_user + #getPropertyFromFile 'db_password' $PROPFILE db_password + #if [ "${audit_store}" == "solr" ] + #then + # getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls + # getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user + # getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password + # getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers + #else + # getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user + # getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password + #fi } wait_for_tomcat_shutdown() { @@ -835,6 +899,11 @@ update_properties() { fi if [ "${DB_FLAVOR}" == "POSTGRES" ] then + db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'` + audit_db_name=`echo ${audit_db_name} | tr '[:upper:]' '[:lower:]'` + db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'` + audit_db_user=`echo ${audit_db_user} | tr '[:upper:]' '[:lower:]'` + propertyName=ranger.jpa.jdbc.url newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger @@ -952,8 +1021,8 @@ update_properties() { if [ "${keystore}" != "" ] then mkdir -p `dirname "${keystore}"` - - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$db_password_alias" -v "$db_password" -c 1 + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore propertyName=ranger.credential.provider.path newPropertyValue="${keystore}" @@ -995,7 +1064,8 @@ update_properties() { if [ "${keystore}" != "" ] then - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_db_password_alias" -v "$audit_db_password" -c 1 + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore propertyName=ranger.jpa.audit.jdbc.credential.alias newPropertyValue="${audit_db_password_alias}" @@ -1046,7 +1116,8 @@ update_properties() { mkdir -p `dirname "${keystore}"` audit_solr_password_alias=ranger.solr.password - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_solr_password_alias" -v "$audit_solr_password" -c 1 +# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore propertyName=ranger.solr.audit.credential.alias newPropertyValue="${audit_solr_password_alias}" @@ -1318,6 +1389,12 @@ do_authentication_setup(){ if [ "${xa_ldap_base_dn}" != "" ] && [ "${xa_ldap_bind_dn}" != "" ] && [ "${xa_ldap_bind_password}" != "" ] then + $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_bind_password} 'LDAP' + if [ "$?" != "0" ] + then + exit 1 + fi + propertyName=ranger.ldap.base.dn newPropertyValue="${xa_ldap_base_dn}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file @@ -1341,7 +1418,8 @@ do_authentication_setup(){ mkdir -p `dirname "${keystore}"` ldap_password_alias=ranger.ldap.binddn.password - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ldap_password_alias" -v "$xa_ldap_bind_password" -c 1 +# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml @@ -1403,6 +1481,11 @@ do_authentication_setup(){ if [ "${xa_ldap_ad_base_dn}" != "" ] && [ "${xa_ldap_ad_bind_dn}" != "" ] && [ "${xa_ldap_ad_bind_password}" != "" ] then + $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_ad_bind_password} 'AD' + if [ "$?" != "0" ] + then + exit 1 + fi propertyName=ranger.ldap.ad.base.dn newPropertyValue="${xa_ldap_ad_base_dn}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file @@ -1426,7 +1509,8 @@ do_authentication_setup(){ mkdir -p `dirname "${keystore}"` ad_password_alias=ranger.ad.binddn.password - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ad_password_alias" -v "$xa_ldap_ad_bind_password" -c 1 +# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml @@ -1568,7 +1652,7 @@ setup_install_files(){ fi fi if [ -f /etc/init.d/${RANGER_ADMIN} ]; then - if [ "${unix_user}" != "ranger" ]; then + if [ "${unix_user}" != "" ]; then sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN} fi fi @@ -1702,17 +1786,27 @@ copy_db_connector #create_audit_db_user check_python_command run_dba_steps +if [ "$?" == "0" ] +then $PYTHON_COMMAND_INVOKER db_setup.py +else + exit 1 +fi if [ "$?" == "0" ] then update_properties do_authentication_setup -$PYTHON_COMMAND_INVOKER db_setup.py -javapatch -#execute_java_patches else log "[E] DB schema setup failed! Please contact Administrator." exit 1 fi +#execute_java_patches +$PYTHON_COMMAND_INVOKER db_setup.py -javapatch +if [ "$?" == "0" ] +then echo "ln -sf ${WEBAPP_ROOT}/WEB-INF/classes/conf ${INSTALL_DIR}/conf" ln -sf ${WEBAPP_ROOT}/WEB-INF/classes/conf ${INSTALL_DIR}/conf echo "Installation of Ranger PolicyManager Web Application is completed." +else + exit 1 +fi http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java index c46964c..3f92d8d 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java @@ -375,4 +375,30 @@ public class RESTErrorUtil { fieldName, value); } } + + public WebApplicationException createRESTException(String errorMessage, + MessageEnums messageEnum, Long objectId, String fieldName, + String logMessage,int statusCode) + { + List<VXMessage> messageList = new ArrayList<VXMessage>(); + messageList.add(messageEnum.getMessage(objectId, fieldName)); + VXResponse vResponse = new VXResponse(); + vResponse.setStatusCode(vResponse.STATUS_ERROR); + vResponse.setMsgDesc(errorMessage); + vResponse.setMessageList(messageList); + Response errorResponse = Response.status(statusCode).entity(vResponse).build(); + WebApplicationException restException = new WebApplicationException(errorResponse); + restException.fillInStackTrace(); + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + Long sessionId = null; + String loginId = null; + if (userSession != null) { + loginId = userSession.getLoginId(); + sessionId = userSession.getSessionId(); + } + logger.info("Request failed. SessionId=" + sessionId + ", loginId=" + + loginId + ", logMessage=" + vResponse.getMsgDesc(), + restException); + return restException; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java index 0ddfb0e..49f5dde 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java @@ -37,6 +37,7 @@ import javax.persistence.criteria.Expression; import javax.persistence.criteria.Path; import javax.persistence.criteria.Predicate; import javax.persistence.criteria.Root; +import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.apache.ranger.biz.RangerBizUtil; @@ -318,10 +319,10 @@ public abstract class AbstractBaseResourceService<T extends XXDBBase, V extends T resource = getDao().getById(id); if (resource == null) { - // Returns code 400 with DATA_NOT_FOUND as the error message + // Returns code 404 with DATA_NOT_FOUND as the error message throw restErrorUtil.createRESTException(getResourceName() + " not found", MessageEnums.DATA_NOT_FOUND, id, null, - "preRead: " + id + " not found."); + "preRead: " + id + " not found.",HttpServletResponse.SC_NOT_FOUND); } V viewBean = readResource(resource); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js index 7981d34..3e03d80 100644 --- a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js +++ b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js @@ -145,7 +145,6 @@ define(function(require){ } , error : function(model,resp){ XAUtil.blockUI('unblock'); - console.log('error'); if(!_.isUndefined(resp.responseJSON) && !_.isUndefined(resp.responseJSON.msgDesc)){ XAUtil.notifyError('Error',resp.responseJSON.msgDesc); }else http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js index 40e6837..dca6b13 100644 --- a/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js +++ b/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js @@ -160,8 +160,7 @@ define(function(require){ else XAUtil.notifyError('Error', response.responseJSON.msgDesc); }else - XAUtil.notifyError('Error', 'Error creating Policy!'); - console.log('error'); + XAUtil.notifyError('Error', 'Error occurred while creating/updating group!'); } }); }, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/security-admin/src/main/webapp/scripts/views/users/UserCreate.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/users/UserCreate.js b/security-admin/src/main/webapp/scripts/views/users/UserCreate.js index a37fd88..817831d 100644 --- a/security-admin/src/main/webapp/scripts/views/users/UserCreate.js +++ b/security-admin/src/main/webapp/scripts/views/users/UserCreate.js @@ -194,7 +194,6 @@ define(function(require){ } , error : function(model,resp){ XAUtil.blockUI('unblock'); - console.log('error'); if(!_.isUndefined(resp.responseJSON) && !_.isUndefined(resp.responseJSON.msgDesc)){ if(resp.responseJSON.msgDesc == "XUser already exists") XAUtil.notifyError('Error',"User already exists."); @@ -226,7 +225,6 @@ define(function(require){ XAUtil.notifyError('Error',resp.responseJSON.msgDesc); }else XAUtil.notifyError('Error', "Error occurred while creating/updating user."); - console.log('error'); } }); }, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/unixauthservice/scripts/set_globals.sh ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh index c92dfdc..7774e48 100755 --- a/unixauthservice/scripts/set_globals.sh +++ b/unixauthservice/scripts/set_globals.sh @@ -21,6 +21,19 @@ #This will also create the ranger linux user and groups if required. #This script needs to be run as root +PROPFILE=$PWD/install.properties +propertyValue='' + +if [ ! $? = "0" ];then + log "$PROPFILE file not found....!!"; + exit 1; +fi +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} if [ ! -w /etc/passwd ]; then echo "ERROR: Please run this script as root" exit 1 @@ -43,8 +56,8 @@ log() { } #Create the ranger users and groups (if needed) -unix_user=ranger -unix_group=ranger +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) groupadd ${unix_group} ret=$? @@ -83,16 +96,16 @@ ln -sf /etc/ranger/usersync/conf conf #Create the log folder if [ ! -d /var/log/ranger/usersync ]; then mkdir -p /var/log/ranger/usersync - if [ -d logs ]; then - cp -r logs/* /var/log/ranger/usersync + if [ -d ews/logs ]; then + cp -r ews/logs/* /var/log/ranger/usersync fi - chmod 755 /var/log/ranger/usersync - chown -R $unix_user:$unix_group /var/log/ranger fi if [ -d /var/log/ranger/usersync ]; then - chown -R $unix_user:$unix_group /var/log/ranger/usersync + chown -R $unix_user:$unix_group /var/log/ranger/usersync + chmod 755 /var/log/ranger/usersync fi + mv -f logs logs.$curDt 2> /dev/null ln -sf /var/log/ranger/usersync logs http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/47c1f94f/unixauthservice/scripts/setup.py ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index 31c486e..b35a261 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -81,7 +81,7 @@ SYNC_INTERVAL_NEW_KEY = 'ranger.usersync.sleeptimeinmillisbetweensynccycle' SYNC_SOURCE_UNIX = 'unix' SYNC_SOURCE_LDAP = 'ldap' SYNC_SOURCE_LIST = [ SYNC_SOURCE_UNIX, SYNC_SOURCE_LDAP ] - +SYNC_LDAP_BIND_PASSWORD_KEY = 'ranger.usersync.ldap.ldapbindpassword' credUpdateClassName = 'org.apache.ranger.credentialapi.buildks' #credUpdateClassName = 'com.hortonworks.credentialapi.buildks' @@ -166,6 +166,17 @@ def updateProppertyInJCKSFile(jcksFileName,propName,value): sys.exit(1) return ret +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + print "[E] "+userType+" proprty contains one of the unsupported special characters like \" ' \ `" + sys.exit(1) + else: + print "[I] "+userType+" proprty is verified." + else: + print "[E] Blank password is not allowed for proprty " +userType+ ",please enter valid password." + sys.exit(1) + def convertInstallPropsToXML(props): directKeyMap = getPropertiesConfigMap(join(installTemplateDirName,install2xmlMapFileName)) @@ -190,6 +201,8 @@ def convertInstallPropsToXML(props): # if (key.startswith("ranger.usersync.ldap") or key.startswith("ranger.usersync.group") or key.startswith("ranger.usersync.paged")): # del ret[key] elif (syncSource == SYNC_SOURCE_LDAP): + ldapPass=ret[SYNC_LDAP_BIND_PASSWORD_KEY] + password_validation(ldapPass, SYNC_LDAP_BIND_PASSWORD_KEY) ret['ranger.usersync.source.impl.class'] = 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder' if (SYNC_INTERVAL_NEW_KEY not in ret or len(str(ret[SYNC_INTERVAL_NEW_KEY])) == 0): ret[SYNC_INTERVAL_NEW_KEY] = "3600000" @@ -237,20 +250,18 @@ def initializeInitD(ownerName): fn = join(installPropDirName,initdProgramName) initdFn = join(initdDirName,initdProgramName) shutil.copy(fn, initdFn) - if (ownerName != 'ranger'): - f = open(initdFn,'r') - filedata = f.read() - f.close() - find_str = "LINUX_USER=ranger" - replace_str = "LINUX_USER="+ ownerName - newdata = filedata.replace(find_str,replace_str) - - f = open(initdFn,'w') - f.write(newdata) - f.close() - - os.chmod(initdFn,0550) - rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ] + if (ownerName != 'ranger'): + f = open(initdFn,'r') + filedata = f.read() + f.close() + find_str = "LINUX_USER=ranger" + replace_str = "LINUX_USER="+ ownerName + newdata = filedata.replace(find_str,replace_str) + f = open(initdFn,'w') + f.write(newdata) + f.close() + os.chmod(initdFn,0550) + rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ] for rcDir in rcDirList: if (os.path.isdir(rcDir)): for prefix in initPrefixList: @@ -258,14 +269,13 @@ def initializeInitD(ownerName): scriptName = join(rcDir, scriptFn) if isfile(scriptName): os.remove(scriptName) - #print "+ ln -sf %s %s" % (initdFn, scriptName) os.symlink(initdFn,scriptName) - userSyncScriptName = "ranger-usersync-services.sh" - localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName)) - ubinScriptName = join("/usr/bin",initdProgramName) - if isfile(ubinScriptName): - os.remove(ubinScriptName) - os.symlink(localScriptName,ubinScriptName) + userSyncScriptName = "ranger-usersync-services.sh" + localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName)) + ubinScriptName = join("/usr/bin",initdProgramName) + if isfile(ubinScriptName): + os.remove(ubinScriptName) + os.symlink(localScriptName,ubinScriptName) def createJavaKeystoreForSSL(fn,passwd):
