[
https://issues.apache.org/jira/browse/RANGER-5631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vince Nwobodo updated RANGER-5631:
----------------------------------
Description:
h2. Summary
Passwords containing certain special characters cannot be used in Ranger
Usersync and Admin setup. Two distinct root causes, in two different
components, produce two different failure modes:
* '%' -> Usersync setup crashes with an unhandled configparser error
* '\' -> Admin DB setup intentionally rejects the password and exits
Originally filed as an Improvement; this is really a defect with a clear
reproduction and identified root cause in each component.
h2. Affected version
2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
h2. Root cause 1 — '%' in Usersync setup (crash)
{code:java}
Traceback (most recent call last):
File "./setup.py", line 622, in <module>
main()
File "./setup.py", line 436, in main
installProps = getPropertiesConfigMap(join(RANGER_USERSYNC_HOME,
installPropFileName))
File "./setup.py", line 180, in getPropertiesConfigMap
for k, v in fcp.items('dummysection'):
File "/usr/lib64/python3.6/configparser.py", line 858, in items
return [(option, value_getter(option)) for option in d.keys()]
File "/usr/lib64/python3.6/configparser.py", line 855, in <lambda>
section, option, d[option], d)
File "/usr/lib64/python3.6/configparser.py", line 394, in before_get
self._interpolate_some(parser, option, L, value, section, defaults, 1)
File "/usr/lib64/python3.6/configparser.py", line 444, in _interpolate_some
"found: %r" % (rest,))
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
found: '%xxxxxxxxx' {code}
h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
File: security-admin/scripts/dba_script.py
Function: password_validation()
password_validation() runs a denylist regex over the DB setup credentials
(DBA root / Ranger DB user / audit DB user). Any password containing
backslash, backtick, single quote, or double quote is rejected and the
script exits:
{code:java}
[E] <userType> user password contains one of the unsupported special
characters like " ' \ ` {code}
This is by design today, but it blocks otherwise-valid passwords during
Admin DB setup.
h2. Steps to reproduce
'%' (Usersync):
1. In the Usersync install.properties, set a credential property
(e.g. the policy-manager sync user password) to a value containing a
bare '%', for example: Test%Pass1
2. Run ./setup.sh (which invokes setup.py).
3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
'\' (Admin):
1. In the Admin install.properties, set a DB password (DBA root / db_user
/ audit db_user) to a value containing '\', for example: Test\Pass1
2. Run the Admin DB setup (dba_script.py).
3. Setup exits with the "unsupported special characters" error above.
h2. Expected behaviour
Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
or at minimum handled gracefully and clearly documented as constraints.
h2. Proposed fix
* Usersync setup.py (getPropertiesConfigMap and the twin getPropertiesKeyList):
construct the parser with interpolation disabled —
ConfigParser(interpolation=None)
or RawConfigParser() — so '%' is treated literally. Audit other scripts
using the same pattern (e.g. upgrade_admin.py).
* Admin dba_script.py (password_validation): relax/remove the denylist and
instead correctly quote/escape the value when it is passed to jisql, rather
than rejecting valid characters.
h2. Notes
Stack trace and any screenshots in this ticket have been redacted to remove a
real credential that appeared in the original setup output.
was:
h2. Summary
Passwords containing certain special characters cannot be used in Ranger
Usersync and Admin setup. Two distinct root causes, in two different
components, produce two different failure modes:
* '%' -> Usersync setup crashes with an unhandled configparser error
* '\' -> Admin DB setup intentionally rejects the password and exits
Originally filed as an Improvement; this is really a defect with a clear
reproduction and identified root cause in each component.
h2. Affected version
2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
h2. Root cause 1 — '%' in Usersync setup (crash)
File: unixauthservice/scripts/setup.py
Function: getPropertiesConfigMap() (called from main())
getPropertiesConfigMap() loads install.properties into a default
ConfigParser(). The default parser uses BasicInterpolation, which treats
'%' as a special token (it must be followed by '%' or '('). When a
property value contains a bare '%', iterating fcp.items('dummysection')
raises:
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
found: '%xxxx...'
Setup aborts while reading install.properties — before Usersync is ever
configured or started. The same getPropertiesConfigMap() pattern is
copy-pasted into other scripts (e.g. security-admin/scripts/upgrade_admin.py),
so this is a repo-wide bug class, not a single-file issue.
h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
File: security-admin/scripts/dba_script.py
Function: password_validation()
password_validation() runs a denylist regex over the DB setup credentials
(DBA root / Ranger DB user / audit DB user). Any password containing
backslash, backtick, single quote, or double quote is rejected and the
script exits:
[E] <userType> user password contains one of the unsupported special
characters like " ' \ `
This is by design today, but it blocks otherwise-valid passwords during
Admin DB setup.
h2. Steps to reproduce
'%' (Usersync):
1. In the Usersync install.properties, set a credential property
(e.g. the policy-manager sync user password) to a value containing a
bare '%', for example: Test%Pass1
2. Run ./setup.sh (which invokes setup.py).
3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
'\' (Admin):
1. In the Admin install.properties, set a DB password (DBA root / db_user
/ audit db_user) to a value containing '\', for example: Test\Pass1
2. Run the Admin DB setup (dba_script.py).
3. Setup exits with the "unsupported special characters" error above.
h2. Expected behaviour
Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
or at minimum handled gracefully and clearly documented as constraints.
h2. Proposed fix
* Usersync setup.py (getPropertiesConfigMap and the twin getPropertiesKeyList):
construct the parser with interpolation disabled —
ConfigParser(interpolation=None)
or RawConfigParser() — so '%' is treated literally. Audit other scripts
using the same pattern (e.g. upgrade_admin.py).
* Admin dba_script.py (password_validation): relax/remove the denylist and
instead correctly quote/escape the value when it is passed to jisql, rather
than rejecting valid characters.
h2. Notes
Stack trace and any screenshots in this ticket have been redacted to remove a
real credential that appeared in the original setup output.
> Setup scripts fail on passwords containing % (Usersync configparser crash)
> and \ (Admin denylist)
> -------------------------------------------------------------------------------------------------
>
> Key: RANGER-5631
> URL: https://issues.apache.org/jira/browse/RANGER-5631
> Project: Ranger
> Issue Type: Bug
> Components: admin, usersync
> Affects Versions: 2.5.0
> Environment: Virtual machines and OpenShift
> Reporter: Vince Nwobodo
> Priority: Critical
> Labels: characters
>
> h2. Summary
> Passwords containing certain special characters cannot be used in Ranger
> Usersync and Admin setup. Two distinct root causes, in two different
> components, produce two different failure modes:
> * '%' -> Usersync setup crashes with an unhandled configparser error
> * '\' -> Admin DB setup intentionally rejects the password and exits
> Originally filed as an Improvement; this is really a defect with a clear
> reproduction and identified root cause in each component.
> h2. Affected version
> 2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
> h2. Root cause 1 — '%' in Usersync setup (crash)
> {code:java}
> Traceback (most recent call last):
> File "./setup.py", line 622, in <module>
> main()
> File "./setup.py", line 436, in main
> installProps = getPropertiesConfigMap(join(RANGER_USERSYNC_HOME,
> installPropFileName))
> File "./setup.py", line 180, in getPropertiesConfigMap
> for k, v in fcp.items('dummysection'):
> File "/usr/lib64/python3.6/configparser.py", line 858, in items
> return [(option, value_getter(option)) for option in d.keys()]
> File "/usr/lib64/python3.6/configparser.py", line 855, in <lambda>
> section, option, d[option], d)
> File "/usr/lib64/python3.6/configparser.py", line 394, in before_get
> self._interpolate_some(parser, option, L, value, section, defaults, 1)
> File "/usr/lib64/python3.6/configparser.py", line 444, in _interpolate_some
> "found: %r" % (rest,))
> configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
> found: '%xxxxxxxxx' {code}
> h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
> File: security-admin/scripts/dba_script.py
> Function: password_validation()
> password_validation() runs a denylist regex over the DB setup credentials
> (DBA root / Ranger DB user / audit DB user). Any password containing
> backslash, backtick, single quote, or double quote is rejected and the
> script exits:
> {code:java}
> [E] <userType> user password contains one of the unsupported special
> characters like " ' \ ` {code}
> This is by design today, but it blocks otherwise-valid passwords during
> Admin DB setup.
> h2. Steps to reproduce
> '%' (Usersync):
> 1. In the Usersync install.properties, set a credential property
> (e.g. the policy-manager sync user password) to a value containing a
> bare '%', for example: Test%Pass1
> 2. Run ./setup.sh (which invokes setup.py).
> 3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
> '\' (Admin):
> 1. In the Admin install.properties, set a DB password (DBA root / db_user
> / audit db_user) to a value containing '\', for example: Test\Pass1
> 2. Run the Admin DB setup (dba_script.py).
> 3. Setup exits with the "unsupported special characters" error above.
> h2. Expected behaviour
> Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
> or at minimum handled gracefully and clearly documented as constraints.
> h2. Proposed fix
> * Usersync setup.py (getPropertiesConfigMap and the twin
> getPropertiesKeyList):
> construct the parser with interpolation disabled —
> ConfigParser(interpolation=None)
> or RawConfigParser() — so '%' is treated literally. Audit other scripts
> using the same pattern (e.g. upgrade_admin.py).
> * Admin dba_script.py (password_validation): relax/remove the denylist and
> instead correctly quote/escape the value when it is passed to jisql, rather
> than rejecting valid characters.
> h2. Notes
> Stack trace and any screenshots in this ticket have been redacted to remove a
> real credential that appeared in the original setup output.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
