[
https://issues.apache.org/jira/browse/RANGER-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515290#comment-17515290
]
kirby zhou commented on RANGER-3687:
------------------------------------
Now we store password in x_portal_user, and store password change log in
x_trx_log.
But do not store the real encrypted-password value. Because
RangerBizUtil.createTrxLog erase the password value.
It seems we simply disable the 'erasing' action of RangerBizUtil.createTrxLog,
and add some code to check the old password history.
But if the x_trx_log is designed to be audit by somebody who should not see the
shadow password, we need a new table such as x_pwd_hist to store password
history solo.
{code:java}
select * from x_trx_log where (class_type=1003 or class_type=7) and
attr_name="Password" order by id desc\G
*************************** 1. row ***************************
id: 258
create_time: 2022-03-31 12:00:10
update_time: 2022-03-31 12:00:10
added_by_id: 8
upd_by_id: 8
class_type: 7
object_id: 8
parent_object_id: NULL
parent_object_class_type: 0
parent_object_name: NULL
object_name: freeman
attr_name: Password
prev_val: *****
new_val: *****
trx_id: 3152013666542765184
action: password change
sess_id: 143
req_id: 3152013666542765184
sess_type: Spring Authenticated Session
*************************** 2. row ***************************
id: 257
create_time: 2022-03-31 11:54:24
update_time: 2022-03-31 11:54:24
added_by_id: 1
upd_by_id: 1
class_type: 1003
object_id: 10
parent_object_id: NULL
parent_object_class_type: 0
parent_object_name: NULL
object_name: freeman
attr_name: Password
prev_val: null
new_val: *****
trx_id: 7542134536806026552
action: update
sess_id: 142
req_id: 7542134536806026552
sess_type: Spring Authenticated Session
{code}
{code:java}
if ("Password".equalsIgnoreCase(StringUtil.trim(xTrxLog.getAttributeName()))) {
if (xTrxLog.getPreviousValue() != null
&& !xTrxLog.getPreviousValue().trim().isEmpty()
&& !"null".equalsIgnoreCase(xTrxLog
.getPreviousValue().trim())) {
xTrxLog.setPreviousValue(AppConstants.Masked_String);
}
if (xTrxLog.getNewValue() != null
&& !xTrxLog.getNewValue().trim().isEmpty()
&& !"null".equalsIgnoreCase(xTrxLog.getNewValue()
.trim())) {
xTrxLog.setNewValue(AppConstants.Masked_String);
}
}
{code}
> Password Policy Best Practices for Strong Security
> --------------------------------------------------
>
> Key: RANGER-3687
> URL: https://issues.apache.org/jira/browse/RANGER-3687
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Bhavik Patel
> Priority: Major
>
> # Password history should be configured to restrict users from reusing their
> last 4 or 5 passwords.
> # Forcing users to change passwords every 90-180 days
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
