[
https://issues.apache.org/jira/browse/RANGER-5631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vince Nwobodo updated RANGER-5631:
----------------------------------
Component/s: admin
usersync
(was: ranger-authn)
Description:
h2. Summary
Passwords containing certain special characters cannot be used in Ranger
Usersync and Admin setup. Two distinct root causes, in two different
components, produce two different failure modes:
* '%' -> Usersync setup crashes with an unhandled configparser error
* '\' -> Admin DB setup intentionally rejects the password and exits
Originally filed as an Improvement; this is really a defect with a clear
reproduction and identified root cause in each component.
h2. Affected version
2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
h2. Root cause 1 — '%' in Usersync setup (crash)
File: unixauthservice/scripts/setup.py
Function: getPropertiesConfigMap() (called from main())
getPropertiesConfigMap() loads install.properties into a default
ConfigParser(). The default parser uses BasicInterpolation, which treats
'%' as a special token (it must be followed by '%' or '('). When a
property value contains a bare '%', iterating fcp.items('dummysection')
raises:
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
found: '%xxxx...'
Setup aborts while reading install.properties — before Usersync is ever
configured or started. The same getPropertiesConfigMap() pattern is
copy-pasted into other scripts (e.g. security-admin/scripts/upgrade_admin.py),
so this is a repo-wide bug class, not a single-file issue.
h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
File: security-admin/scripts/dba_script.py
Function: password_validation()
password_validation() runs a denylist regex over the DB setup credentials
(DBA root / Ranger DB user / audit DB user). Any password containing
backslash, backtick, single quote, or double quote is rejected and the
script exits:
[E] <userType> user password contains one of the unsupported special
characters like " ' \ `
This is by design today, but it blocks otherwise-valid passwords during
Admin DB setup.
h2. Steps to reproduce
'%' (Usersync):
1. In the Usersync install.properties, set a credential property
(e.g. the policy-manager sync user password) to a value containing a
bare '%', for example: Test%Pass1
2. Run ./setup.sh (which invokes setup.py).
3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
'\' (Admin):
1. In the Admin install.properties, set a DB password (DBA root / db_user
/ audit db_user) to a value containing '\', for example: Test\Pass1
2. Run the Admin DB setup (dba_script.py).
3. Setup exits with the "unsupported special characters" error above.
h2. Expected behaviour
Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
or at minimum handled gracefully and clearly documented as constraints.
h2. Proposed fix
* Usersync setup.py (getPropertiesConfigMap and the twin getPropertiesKeyList):
construct the parser with interpolation disabled —
ConfigParser(interpolation=None)
or RawConfigParser() — so '%' is treated literally. Audit other scripts
using the same pattern (e.g. upgrade_admin.py).
* Admin dba_script.py (password_validation): relax/remove the denylist and
instead correctly quote/escape the value when it is passed to jisql, rather
than rejecting valid characters.
h2. Notes
Stack trace and any screenshots in this ticket have been redacted to remove a
real credential that appeared in the original setup output.
was:
Currently facing some special character limitation issues on password values in
Ranger User Sync and Admin, specifically the `%` character. `\` character has
posed some issues as well.
Ideally a feature to accept those characters (or a list of allowed special
characters) in subsequent patches.
Issue Type: Bug (was: Improvement)
Priority: Critical (was: Blocker)
Summary: Usersync setup.py and Admin dba_script.py fail on passwords
containing % and \ (configparser interpolation crash + password denylist)\
(was: Special character limitation in passwords)
> Usersync setup.py and Admin dba_script.py fail on passwords containing % and
> \ (configparser interpolation crash + password denylist)\
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5631
> URL: https://issues.apache.org/jira/browse/RANGER-5631
> Project: Ranger
> Issue Type: Bug
> Components: admin, usersync
> Affects Versions: 2.5.0
> Environment: Virtual machines and OpenShift
> Reporter: Vince Nwobodo
> Priority: Critical
> Labels: characters
>
> h2. Summary
> Passwords containing certain special characters cannot be used in Ranger
> Usersync and Admin setup. Two distinct root causes, in two different
> components, produce two different failure modes:
> * '%' -> Usersync setup crashes with an unhandled configparser error
> * '\' -> Admin DB setup intentionally rejects the password and exits
> Originally filed as an Improvement; this is really a defect with a clear
> reproduction and identified root cause in each component.
> h2. Affected version
> 2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
> h2. Root cause 1 — '%' in Usersync setup (crash)
> File: unixauthservice/scripts/setup.py
> Function: getPropertiesConfigMap() (called from main())
> getPropertiesConfigMap() loads install.properties into a default
> ConfigParser(). The default parser uses BasicInterpolation, which treats
> '%' as a special token (it must be followed by '%' or '('). When a
> property value contains a bare '%', iterating fcp.items('dummysection')
> raises:
> configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
> found: '%xxxx...'
> Setup aborts while reading install.properties — before Usersync is ever
> configured or started. The same getPropertiesConfigMap() pattern is
> copy-pasted into other scripts (e.g. security-admin/scripts/upgrade_admin.py),
> so this is a repo-wide bug class, not a single-file issue.
> h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
> File: security-admin/scripts/dba_script.py
> Function: password_validation()
> password_validation() runs a denylist regex over the DB setup credentials
> (DBA root / Ranger DB user / audit DB user). Any password containing
> backslash, backtick, single quote, or double quote is rejected and the
> script exits:
> [E] <userType> user password contains one of the unsupported special
> characters like " ' \ `
> This is by design today, but it blocks otherwise-valid passwords during
> Admin DB setup.
> h2. Steps to reproduce
> '%' (Usersync):
> 1. In the Usersync install.properties, set a credential property
> (e.g. the policy-manager sync user password) to a value containing a
> bare '%', for example: Test%Pass1
> 2. Run ./setup.sh (which invokes setup.py).
> 3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
> '\' (Admin):
> 1. In the Admin install.properties, set a DB password (DBA root / db_user
> / audit db_user) to a value containing '\', for example: Test\Pass1
> 2. Run the Admin DB setup (dba_script.py).
> 3. Setup exits with the "unsupported special characters" error above.
> h2. Expected behaviour
> Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
> or at minimum handled gracefully and clearly documented as constraints.
> h2. Proposed fix
> * Usersync setup.py (getPropertiesConfigMap and the twin
> getPropertiesKeyList):
> construct the parser with interpolation disabled —
> ConfigParser(interpolation=None)
> or RawConfigParser() — so '%' is treated literally. Audit other scripts
> using the same pattern (e.g. upgrade_admin.py).
> * Admin dba_script.py (password_validation): relax/remove the denylist and
> instead correctly quote/escape the value when it is passed to jisql, rather
> than rejecting valid characters.
> h2. Notes
> Stack trace and any screenshots in this ticket have been redacted to remove a
> real credential that appeared in the original setup output.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
