Bug 1017267
Summary: | Plaintext user passwords in async_tasks database | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] oVirt | Reporter: | Alexander Ludas <a.ludas> | ||||||
Component: | ovirt-engine-core | Assignee: | Ravi Nori <rnori> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | bugs <bugs> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 3.3 | CC: | acathrow, a.ludas, bazulay, iheim, rnori, sbonazzo, yeylon | ||||||
Target Milestone: | --- | ||||||||
Target Release: | 3.3.3 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | infra | ||||||||
Fixed In Version: | ovirt-3.3.3-beta1 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-02-14 09:56:49 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Alexander Ludas
2013-10-09 14:11:36 UTC
I have tried to reproduce the scenario with AD user yair_group_member, I was unable to see any password in the query result as stated in the bug description. While exporting my VM that had 1 nic and 2 disks 1 with Thin Provisioning and the other pre-allocated both sizes are 1GB , I had run the query : engine_1017267=> select action_parameters from async_tasks; action_parameters ------------------------------------------------------------------------ { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters", + "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb" + } ], + "parametersCurrentUser" : { + "@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+ "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "externalId" : { + "bytes" : "V5RFn+FrQBW8r5pharoGxg==" + }, + "domain" : "qa.lab.tlv.redhat.com", + "loginName" : "yair_group_member", + "firstName" : "yair_group_member", + "lastName" : null, + "department" : null, + "role" : "", + "email" : null, + "note" : "", + "status" : 1, + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "groupIds" : "00000000-0000-0000-0000-000000000000", + "admin" : true, + "ldapStatus" : "Active", + "group" : false + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "79a3c8f9", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ], + "templateMustExists" : true, + "forceOverride" : false, + "copyCollapse" : false, + "sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined", + "shouldBeLogged" : true, + "transactionScopeOption" : "Required", + "executionReason" : "REGULAR_FLOW" + } { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters", + "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb" + } ], + "parametersCurrentUser" : { + "@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+ "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "externalId" : { + "bytes" : "V5RFn+FrQBW8r5pharoGxg==" + }, + "domain" : "qa.lab.tlv.redhat.com", + "loginName" : "yair_group_member", + "firstName" : "yair_group_member", + "lastName" : null, + "department" : null, + "role" : "", + "email" : null, + "note" : "", + "status" : 1, + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "groupIds" : "00000000-0000-0000-0000-000000000000", + "admin" : true, + "ldapStatus" : "Active", + "group" : false + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "79a3c8f9", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ], + "templateMustExists" : true, + "forceOverride" : false, + "copyCollapse" : false, + "sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined", + "shouldBeLogged" : true, + "transactionScopeOption" : "Required", + "executionReason" : "REGULAR_FLOW" + } (2 rows) Your output has a lot more attributes than mine. action_parameters ---------------------------------------------------------------------- { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+ "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "c8b3e644-238a-443d-b96b-cd3a7b256fd7" + } ], + "parametersCurrentUser" : { + "groupIds" : "", + "admin" : true, + "domainControler" : "example.com", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "78a77a90-0a81-4dcd-acf7-06abcbdba1a5" + } ], + "groupNames" : "", + "firstName" : "Alexander", + "surName" : "Ludas", + "fqn" : "aludas", + "userName" : "aludas", + "password" : "PLAINTEXTPASSWORD" + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3c376686-4add-444d-91c0-3971d2696ae1" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "42651919", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "f1e164fa-2161-49ba-8d6c-930ed0b81a6e" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "forceOverride" : true, + "copyCollapse" : true, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3c376686-4add-444d-91c0-3971d2696ae1" + } ], + "templateMustExists" : false, + "transactionScopeOption" : "Required", + "shouldBeLogged" : true, + "executionReason" : "REGULAR_FLOW", + "sessionId" : "RL+UV2Taq6JgJng8BK0Dzlws.undefined" + } (1 row) Just for comparision the parametersCurrentUser attribute when I export with the admin@internal user: "parametersCurrentUser" : { + "groupIds" : "", + "admin" : true, + "domainControler" : "internal", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "fdfc627c-d875-11e0-90f0-83df133b58cc" + } ], + "groupNames" : "", + "firstName" : "admin", + "surName" : null, + "fqn" : "admin@internal", + "userName" : "admin@internal", + "password" : null + }, + As your can see the password is shown as null and I would expect the same behavior with an AD authenticated user. [root@ovirt1 ~]# rpm -qa | grep ovirt-engine ovirt-engine-sdk-python-3.3.0.6-1.fc19.noarch ovirt-engine-lib-3.3.0.1-1.fc19.noarch ovirt-engine-tools-3.3.0.1-1.fc19.noarch ovirt-engine-3.3.0.1-1.fc19.noarch ovirt-engine-backend-3.3.0.1-1.fc19.noarch ovirt-engine-websocket-proxy-3.3.0.1-1.fc19.noarch ovirt-engine-dbscripts-3.3.0.1-1.fc19.noarch ovirt-engine-cli-3.3.0.4-1.fc19.noarch ovirt-engine-restapi-3.3.0.1-1.fc19.noarch ovirt-engine-webadmin-portal-3.3.0.1-1.fc19.noarch ovirt-engine-setup-3.3.0.1-1.fc19.noarch ovirt-engine-userportal-3.3.0.1-1.fc19.noarch I authenticate against a Samba 4.1.0 domain (self-compiled, CentOS 6.4) with the ActiveDirectory provider. I will check tomorrow if it behaves the same way against a new Windows Domain (2008r2). But nevertheless a password should never appear in plaintext. Got the same result with the native Windows domain (2008r2). Password appears in plaintext. I saw some changes made to the related user data in commit 777ec447c33c631b73c2c5381d18c767c2b7647f However, doing again the check on a branch with the commit just before the above generated more similiar result as reported, but still w/o the password field : engine_plaintextpasswd=> select action_parameters from async_tasks; action_parameters ---------------------------------------------------------------------- { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+ "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942" + } ], + "parametersCurrentUser" : { + "groupIds" : "00000000-0000-0000-0000-000000000000", + "userName" : "yair_group_member", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "domainControler" : "qa.lab.tlv.redhat.com", + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "firstName" : "yair_group_member", + "surName" : null, + "admin" : true + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "49fd614d", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ], + "copyCollapse" : false, + "templateMustExists" : true, + "forceOverride" : false, + "shouldBeLogged" : true, + "executionReason" : "REGULAR_FLOW", + "transactionScopeOption" : "Required", + "sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined" + } { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+ "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942" + } ], + "parametersCurrentUser" : { + "groupIds" : "00000000-0000-0000-0000-000000000000", + "userName" : "yair_group_member", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "domainControler" : "qa.lab.tlv.redhat.com", + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "firstName" : "yair_group_member", + "surName" : null, + "admin" : true + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "49fd614d", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ], + "copyCollapse" : false, + "templateMustExists" : true, + "forceOverride" : false, + "shouldBeLogged" : true, + "executionReason" : "REGULAR_FLOW", + "transactionScopeOption" : "Required", + "sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined" + } Did you do the export VM through the webadmin or RestAPI ? Webadmin Created attachment 814911 [details]
Engine answer file
Created attachment 814913 [details]
Kickstart EL6 (C6.4)
Did a clean install in an isolated env with the same results. There are only 2 things that might differ from other installs: 1. selinux off by default 2. firewall off by default Steps to reproduce: 1. Kickstart VM for engine (see attached ks file) 2. engine-setup --config-append=engine-answers.txt 3. engine-manage-domains -action=add -provider=ActiveDirectory \ -domain=testdom.local -user=ovirt -passwordFile=passwd.txt 4. Restart engine, login to webadmin as admin and grant rights to a domain user 5. Add host 6. Create VM with preallocated disk and check async_tasks table during disk creation Moving target release to 3.3.2 since it's not fixed in 3.3.1 and not considered blocking. Re-targeting to 3.3.3 since the bug is not resolved in 3.3.2 beta and is not blocking 3.3.2 release tracker (bug #1027349) This is a 3.3 only issue, the problem has been fixed by directory refactoring in current master (3.4) Closing as 3.3.3 has been released. |