[ https://issues.apache.org/jira/browse/RANGER-5631 ]
Vince Nwobodo deleted comment on RANGER-5631:
---------------------------------------
was (Author: JIRAUSER313585):
Please find below the list of forbidden characters.
Password Forbidden chars '-@.,#/&;\
> Usersync setup.py and Admin dba_script.py fail on passwords containing % and
> \ (configparser interpolation crash + password denylist)\
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5631
> URL: https://issues.apache.org/jira/browse/RANGER-5631
> Project: Ranger
> Issue Type: Bug
> Components: admin, usersync
> Affects Versions: 2.5.0
> Environment: Virtual machines and OpenShift
> Reporter: Vince Nwobodo
> Priority: Critical
> Labels: characters
>
> h2. Summary
> Passwords containing certain special characters cannot be used in Ranger
> Usersync and Admin setup. Two distinct root causes, in two different
> components, produce two different failure modes:
> * '%' -> Usersync setup crashes with an unhandled configparser error
> * '\' -> Admin DB setup intentionally rejects the password and exits
> Originally filed as an Improvement; this is really a defect with a clear
> reproduction and identified root cause in each component.
> h2. Affected version
> 2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
> h2. Root cause 1 — '%' in Usersync setup (crash)
> File: unixauthservice/scripts/setup.py
> Function: getPropertiesConfigMap() (called from main())
> getPropertiesConfigMap() loads install.properties into a default
> ConfigParser(). The default parser uses BasicInterpolation, which treats
> '%' as a special token (it must be followed by '%' or '('). When a
> property value contains a bare '%', iterating fcp.items('dummysection')
> raises:
> configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
> found: '%xxxx...'
> Setup aborts while reading install.properties — before Usersync is ever
> configured or started. The same getPropertiesConfigMap() pattern is
> copy-pasted into other scripts (e.g. security-admin/scripts/upgrade_admin.py),
> so this is a repo-wide bug class, not a single-file issue.
> h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
> File: security-admin/scripts/dba_script.py
> Function: password_validation()
> password_validation() runs a denylist regex over the DB setup credentials
> (DBA root / Ranger DB user / audit DB user). Any password containing
> backslash, backtick, single quote, or double quote is rejected and the
> script exits:
> [E] <userType> user password contains one of the unsupported special
> characters like " ' \ `
> This is by design today, but it blocks otherwise-valid passwords during
> Admin DB setup.
> h2. Steps to reproduce
> '%' (Usersync):
> 1. In the Usersync install.properties, set a credential property
> (e.g. the policy-manager sync user password) to a value containing a
> bare '%', for example: Test%Pass1
> 2. Run ./setup.sh (which invokes setup.py).
> 3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
> '\' (Admin):
> 1. In the Admin install.properties, set a DB password (DBA root / db_user
> / audit db_user) to a value containing '\', for example: Test\Pass1
> 2. Run the Admin DB setup (dba_script.py).
> 3. Setup exits with the "unsupported special characters" error above.
> h2. Expected behaviour
> Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
> or at minimum handled gracefully and clearly documented as constraints.
> h2. Proposed fix
> * Usersync setup.py (getPropertiesConfigMap and the twin
> getPropertiesKeyList):
> construct the parser with interpolation disabled —
> ConfigParser(interpolation=None)
> or RawConfigParser() — so '%' is treated literally. Audit other scripts
> using the same pattern (e.g. upgrade_admin.py).
> * Admin dba_script.py (password_validation): relax/remove the denylist and
> instead correctly quote/escape the value when it is passed to jisql, rather
> than rejecting valid characters.
> h2. Notes
> Stack trace and any screenshots in this ticket have been redacted to remove a
> real credential that appeared in the original setup output.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
