Bug 1063888 - The add-user script displays incorrect password information for the help argument
Summary: The add-user script displays incorrect password information for the help argu...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Scripts and Commands
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: DR6
: EAP 6.3.0
Assignee: Darran Lofthouse
QA Contact: Petr Kremensky
Russell Dickenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1063861
TreeView+ depends on / blocked
 
Reported: 2014-02-11 15:26 UTC by sgilda
Modified: 2014-06-28 15:24 UTC (History)
4 users (show)

(edit)
In previous versions of JBoss EAP 6, the help output for the `add-user` utility only displayed a single restriction pertaining to passwords (that they not be the same as the username). This could cause confusion when adding new users, as there is more than one restriction in place to ensure valid passwords are used. In this release of the product, the single restriction has been removed from the help text. It now appears, along with other applicable restrictions, in messages displayed when using interactive mode.
Clone Of:
(edit)
Last Closed: 2014-06-28 15:24:55 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-3125 Major Resolved Update help text for add-user to reflect that password is checked against the configured policy. 2015-06-13 00:56:14 UTC

Description sgilda 2014-02-11 15:26:29 UTC
Description of problem:

The following is displayed when you type: $ bin/add-user.sh --help

Usage: ./add-user.sh [args...]
where args include:
    -a                                  If set add an application user instead 
                                        of a management user

    -dc <value>                         Define the location of the domain 
                                        config directory.

    -sc <value>                         Define the location the server config 
                                        directory.

    -up, --user-properties <value>      The file name of the user properties 
                                        file which can be an absolute path.

    -g, --group <value>                 Comma-separated list of groups for the 
                                        user.

    -gp, --group-properties <value>     The file name of the group properties 
                                        file which can be an absolute path. (If 
                                        group properties is specified then user 
                                        properties MUST also be specified).

    -p, --password <value>              Password of the user. Should not be 
                                        same as the username

    -u, --user <value>                  Name of the user

    -r, --realm <value>                 Name of the realm used to secure the 
                                        management interfaces (default is 
                                        "ManagementRealm")

    -s, --silent                        Activate the silent mode (no output to 
                                        the console)

    -h, --help                          Display this message and exit


The information for password is not correct. The username can only contain alphanumeric characters, so the password can never match it. 

A better usage description for password might be:

It must contain at least 8 characters.
It must contain at least one alphabetic character.
It must contain at least one digit.
It must contain at least one non-alphanumeric symbol

And for user:

It must only contain alphanumeric characters.

See related Bugzilla 1063639.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Darran Lofthouse 2014-02-11 15:53:07 UTC
I am going to ack this from the perspective of adding a little more information to the help output.

The requirements are actually calculated after reading a configuration file so not entirely sure if we should output the exact requirements in the help text but this text should at least reflect information on how we will decide what enforcements to make.

Comment 2 Petr Kremensky 2014-02-11 15:57:19 UTC
I'll ask people around security whether these are the correct requirements for user/password.

Comment 4 Darran Lofthouse 2014-03-18 13:33:04 UTC
Re-working as EAP does not actually have a configurable password policy.

Comment 5 Darran Lofthouse 2014-03-18 13:49:26 UTC
Follow up pull request submitted: -
  https://github.com/jbossas/jboss-eap/pull/1078

But do also note - 

At this point I have removed any output describing "requirements", within EAP the requirements are not configurable so it is potentially possible to update the error message with the statically defined requirements however to do the same would be much more complex upstream as the configuration has to be analysed which is something that does not happen at the time the message is output.  This would be a problem meeting our upstream first requirement and also an issue maintaining the behaviour if we port the configuration feature to EAP.

As a second point, users always have the option to use interactive mode if they want a guided experience, in that mode we will be showing all of the requirements at once.

Comment 7 Petr Kremensky 2014-03-31 07:00:55 UTC
Verified on EAP 6.3.0.DR6.

All password requirements were removed from help message.

Rest of issue is covered by BZ928486 - Requirements for password should be shown at once

Comment 8 Scott Mumford 2014-04-24 02:10:41 UTC
Refactored release note text and marked for inclusion in the documentation.

Comment 9 sgilda 2014-05-12 20:09:40 UTC
Changed <literal></literal> tags in Doc Text to ticks (`) to fix Bug 1096865


Note You need to log in before you can comment on or make changes to this bug.