[
https://issues.apache.org/jira/browse/RANGER-5631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091672#comment-18091672
]
Vince Nwobodo commented on RANGER-5631:
---------------------------------------
Linking RANGER-701 as prior art. That issue raised the same setup-script
limitation and was resolved as [FIXED / Won't Fix / etc., in version X].
However, the '%' failure in Usersync setup.py (getPropertiesConfigMap) is
still present in 2.5.0 — it is an unhandled
configparser.InterpolationSyntaxError
that aborts setup, not a feature request. So this is not a duplicate; it is a
remaining/regressed gap in the area RANGER-701 covered.
Distinguishing the two halves of this ticket:
- '\' in dba_script.py (password_validation) is an intentional, documented
denylist (" ' \ ` appear in published Ranger password requirements) — the
ask there is to relax a known restriction.
- '%' in Usersync setup.py is neither intended nor documented — a
straightforward
bug, and the easier/lower-risk half to fix first.
> Setup scripts fail on passwords containing % (Usersync configparser crash)
> and \ (Admin denylist)
> -------------------------------------------------------------------------------------------------
>
> Key: RANGER-5631
> URL: https://issues.apache.org/jira/browse/RANGER-5631
> Project: Ranger
> Issue Type: Bug
> Components: admin, usersync
> Affects Versions: 2.5.0
> Environment: Virtual machines and OpenShift
> Reporter: Vince Nwobodo
> Priority: Critical
> Labels: characters
>
> h2. Summary
> Passwords containing certain special characters cannot be used in Ranger
> Usersync and Admin setup. Two distinct root causes, in two different
> components, produce two different failure modes:
> * '%' -> Usersync setup crashes with an unhandled configparser error
> * '\' -> Admin DB setup intentionally rejects the password and exits
> Originally filed as an Improvement; this is really a defect with a clear
> reproduction and identified root cause in each component.
> h2. Affected version
> 2.5.0 (release-ranger-2.5.0). Observed on both VM and OpenShift deployments.
> h2. Root cause 1 — '%' in Usersync setup (crash)
> {code:java}
> Traceback (most recent call last):
> File "./setup.py", line 622, in <module>
> main()
> File "./setup.py", line 436, in main
> installProps = getPropertiesConfigMap(join(RANGER_USERSYNC_HOME,
> installPropFileName))
> File "./setup.py", line 180, in getPropertiesConfigMap
> for k, v in fcp.items('dummysection'):
> File "/usr/lib64/python3.6/configparser.py", line 858, in items
> return [(option, value_getter(option)) for option in d.keys()]
> File "/usr/lib64/python3.6/configparser.py", line 855, in <lambda>
> section, option, d[option], d)
> File "/usr/lib64/python3.6/configparser.py", line 394, in before_get
> self._interpolate_some(parser, option, L, value, section, defaults, 1)
> File "/usr/lib64/python3.6/configparser.py", line 444, in _interpolate_some
> "found: %r" % (rest,))
> configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(',
> found: '%xxxxxxxxx' {code}
> h2. Root cause 2 — '\' in Admin DB setup (intentional rejection)
> File: security-admin/scripts/dba_script.py
> Function: password_validation()
> password_validation() runs a denylist regex over the DB setup credentials
> (DBA root / Ranger DB user / audit DB user). Any password containing
> backslash, backtick, single quote, or double quote is rejected and the
> script exits:
> {code:java}
> [E] <userType> user password contains one of the unsupported special
> characters like " ' \ ` {code}
> This is by design today, but it blocks otherwise-valid passwords during
> Admin DB setup.
> h2. Steps to reproduce
> '%' (Usersync):
> 1. In the Usersync install.properties, set a credential property
> (e.g. the policy-manager sync user password) to a value containing a
> bare '%', for example: Test%Pass1
> 2. Run ./setup.sh (which invokes setup.py).
> 3. Setup aborts with configparser.InterpolationSyntaxError (trace above).
> '\' (Admin):
> 1. In the Admin install.properties, set a DB password (DBA root / db_user
> / audit db_user) to a value containing '\', for example: Test\Pass1
> 2. Run the Admin DB setup (dba_script.py).
> 3. Setup exits with the "unsupported special characters" error above.
> h2. Expected behaviour
> Passwords containing '%' and '\' (ideally also ' " `) should be accepted,
> or at minimum handled gracefully and clearly documented as constraints.
> h2. Proposed fix
> * Usersync setup.py (getPropertiesConfigMap and the twin
> getPropertiesKeyList):
> construct the parser with interpolation disabled —
> ConfigParser(interpolation=None)
> or RawConfigParser() — so '%' is treated literally. Audit other scripts
> using the same pattern (e.g. upgrade_admin.py).
> * Admin dba_script.py (password_validation): relax/remove the denylist and
> instead correctly quote/escape the value when it is passed to jisql, rather
> than rejecting valid characters.
> h2. Notes
> Stack trace and any screenshots in this ticket have been redacted to remove a
> real credential that appeared in the original setup output.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
