| Summary: | Plaintext user passwords in async_tasks database | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Alexander Ludas <a.ludas> | ||||||
| Component: | ovirt-engine-core | Assignee: | Ravi Nori <rnori> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | bugs <bugs> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 3.3 | CC: | acathrow, a.ludas, bazulay, iheim, rnori, sbonazzo, yeylon | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | 3.3.3 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | infra | ||||||||
| Fixed In Version: | ovirt-3.3.3-beta1 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-02-14 09:56:49 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
Alexander Ludas
2013-10-09 14:11:36 UTC
I have tried to reproduce the scenario with AD user yair_group_member, I was unable to see any password in the query result as stated in the bug description.
While exporting my VM that had 1 nic and 2 disks 1 with Thin Provisioning and the other pre-allocated both sizes are 1GB , I had run the query :
engine_1017267=> select action_parameters from async_tasks;
action_parameters
------------------------------------------------------------------------
{ +
"@class" : "org.ovirt.engine.core.common.action.MoveVmParameters", +
"commandId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb" +
} ], +
"parametersCurrentUser" : { +
"@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" +
} ], +
"externalId" : { +
"bytes" : "V5RFn+FrQBW8r5pharoGxg==" +
}, +
"domain" : "qa.lab.tlv.redhat.com", +
"loginName" : "yair_group_member", +
"firstName" : "yair_group_member", +
"lastName" : null, +
"department" : null, +
"role" : "", +
"email" : null, +
"note" : "", +
"status" : 1, +
"groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", +
"groupIds" : "00000000-0000-0000-0000-000000000000", +
"admin" : true, +
"ldapStatus" : "Active", +
"group" : false +
}, +
"compensationEnabled" : false, +
"parentCommand" : "Unknown", +
"commandType" : "ExportVm", +
"multipleAction" : true, +
"entityInfo" : { +
"type" : "VM", +
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" +
} ] +
}, +
"taskGroupSuccess" : true, +
"vdsmTaskIds" : null, +
"executionIndex" : 0, +
"correlationId" : "79a3c8f9", +
"jobId" : null, +
"stepId" : null, +
"vdsId" : null, +
"storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "00000000-0000-0000-0000-000000000000" +
} ], +
"forceDelete" : false, +
"storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073" +
} ], +
"isInternal" : false, +
"quotaId" : null, +
"imageToDestinationDomainMap" : null, +
"importAsNewEntity" : false, +
"containerId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" +
} ], +
"templateMustExists" : true, +
"forceOverride" : false, +
"copyCollapse" : false, +
"sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined", +
"shouldBeLogged" : true, +
"transactionScopeOption" : "Required", +
"executionReason" : "REGULAR_FLOW" +
}
{ +
"@class" : "org.ovirt.engine.core.common.action.MoveVmParameters", +
"commandId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb" +
} ], +
"parametersCurrentUser" : { +
"@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" +
} ], +
"externalId" : { +
"bytes" : "V5RFn+FrQBW8r5pharoGxg==" +
}, +
"domain" : "qa.lab.tlv.redhat.com", +
"loginName" : "yair_group_member", +
"firstName" : "yair_group_member", +
"lastName" : null, +
"department" : null, +
"role" : "", +
"email" : null, +
"note" : "", +
"status" : 1, +
"groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", +
"groupIds" : "00000000-0000-0000-0000-000000000000", +
"admin" : true, +
"ldapStatus" : "Active", +
"group" : false +
}, +
"compensationEnabled" : false, +
"parentCommand" : "Unknown", +
"commandType" : "ExportVm", +
"multipleAction" : true, +
"entityInfo" : { +
"type" : "VM", +
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" +
} ] +
}, +
"taskGroupSuccess" : true, +
"vdsmTaskIds" : null, +
"executionIndex" : 0, +
"correlationId" : "79a3c8f9", +
"jobId" : null, +
"stepId" : null, +
"vdsId" : null, +
"storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "00000000-0000-0000-0000-000000000000" +
} ], +
"forceDelete" : false, +
"storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073" +
} ], +
"isInternal" : false, +
"quotaId" : null, +
"imageToDestinationDomainMap" : null, +
"importAsNewEntity" : false, +
"containerId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" +
} ], +
"templateMustExists" : true, +
"forceOverride" : false, +
"copyCollapse" : false, +
"sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined", +
"shouldBeLogged" : true, +
"transactionScopeOption" : "Required", +
"executionReason" : "REGULAR_FLOW" +
}
(2 rows)
Your output has a lot more attributes than mine.
action_parameters
----------------------------------------------------------------------
{ +
"@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+
"commandId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "c8b3e644-238a-443d-b96b-cd3a7b256fd7" +
} ], +
"parametersCurrentUser" : { +
"groupIds" : "", +
"admin" : true, +
"domainControler" : "example.com", +
"userId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "78a77a90-0a81-4dcd-acf7-06abcbdba1a5" +
} ], +
"groupNames" : "", +
"firstName" : "Alexander", +
"surName" : "Ludas", +
"fqn" : "aludas", +
"userName" : "aludas", +
"password" : "PLAINTEXTPASSWORD" +
}, +
"compensationEnabled" : false, +
"parentCommand" : "Unknown", +
"commandType" : "ExportVm", +
"multipleAction" : true, +
"entityInfo" : { +
"type" : "VM", +
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "3c376686-4add-444d-91c0-3971d2696ae1" +
} ] +
}, +
"taskGroupSuccess" : true, +
"vdsmTaskIds" : null, +
"executionIndex" : 0, +
"correlationId" : "42651919", +
"jobId" : null, +
"stepId" : null, +
"vdsId" : null, +
"storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "00000000-0000-0000-0000-000000000000" +
} ], +
"forceDelete" : false, +
"storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "f1e164fa-2161-49ba-8d6c-930ed0b81a6e" +
} ], +
"isInternal" : false, +
"quotaId" : null, +
"imageToDestinationDomainMap" : null, +
"importAsNewEntity" : false, +
"forceOverride" : true, +
"copyCollapse" : true, +
"containerId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "3c376686-4add-444d-91c0-3971d2696ae1" +
} ], +
"templateMustExists" : false, +
"transactionScopeOption" : "Required", +
"shouldBeLogged" : true, +
"executionReason" : "REGULAR_FLOW", +
"sessionId" : "RL+UV2Taq6JgJng8BK0Dzlws.undefined" +
}
(1 row)
Just for comparision the parametersCurrentUser attribute when I export with the admin@internal user:
"parametersCurrentUser" : { +
"groupIds" : "", +
"admin" : true, +
"domainControler" : "internal", +
"userId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "fdfc627c-d875-11e0-90f0-83df133b58cc" +
} ], +
"groupNames" : "", +
"firstName" : "admin", +
"surName" : null, +
"fqn" : "admin@internal", +
"userName" : "admin@internal", +
"password" : null +
}, +
As your can see the password is shown as null and I would expect the same behavior with an AD authenticated user.
[root@ovirt1 ~]# rpm -qa | grep ovirt-engine
ovirt-engine-sdk-python-3.3.0.6-1.fc19.noarch
ovirt-engine-lib-3.3.0.1-1.fc19.noarch
ovirt-engine-tools-3.3.0.1-1.fc19.noarch
ovirt-engine-3.3.0.1-1.fc19.noarch
ovirt-engine-backend-3.3.0.1-1.fc19.noarch
ovirt-engine-websocket-proxy-3.3.0.1-1.fc19.noarch
ovirt-engine-dbscripts-3.3.0.1-1.fc19.noarch
ovirt-engine-cli-3.3.0.4-1.fc19.noarch
ovirt-engine-restapi-3.3.0.1-1.fc19.noarch
ovirt-engine-webadmin-portal-3.3.0.1-1.fc19.noarch
ovirt-engine-setup-3.3.0.1-1.fc19.noarch
ovirt-engine-userportal-3.3.0.1-1.fc19.noarch
I authenticate against a Samba 4.1.0 domain (self-compiled, CentOS 6.4) with the ActiveDirectory provider. I will check tomorrow if it behaves the same way against a new Windows Domain (2008r2). But nevertheless a password should never appear in plaintext.
Got the same result with the native Windows domain (2008r2). Password appears in plaintext. I saw some changes made to the related user data in commit 777ec447c33c631b73c2c5381d18c767c2b7647f
However, doing again the check on a branch with the commit just before the above generated more similiar result as reported, but still w/o the password field :
engine_plaintextpasswd=> select action_parameters from async_tasks;
action_parameters
----------------------------------------------------------------------
{ +
"@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+
"commandId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942" +
} ], +
"parametersCurrentUser" : { +
"groupIds" : "00000000-0000-0000-0000-000000000000", +
"userName" : "yair_group_member", +
"userId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" +
} ], +
"domainControler" : "qa.lab.tlv.redhat.com", +
"groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", +
"firstName" : "yair_group_member", +
"surName" : null, +
"admin" : true +
}, +
"compensationEnabled" : false, +
"parentCommand" : "Unknown", +
"commandType" : "ExportVm", +
"multipleAction" : true, +
"entityInfo" : { +
"type" : "VM", +
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "353da209-dfb3-40e8-b7da-380865750852" +
} ] +
}, +
"taskGroupSuccess" : true, +
"vdsmTaskIds" : null, +
"executionIndex" : 0, +
"correlationId" : "49fd614d", +
"jobId" : null, +
"stepId" : null, +
"vdsId" : null, +
"storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "00000000-0000-0000-0000-000000000000" +
} ], +
"forceDelete" : false, +
"storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33" +
} ], +
"isInternal" : false, +
"quotaId" : null, +
"imageToDestinationDomainMap" : null, +
"importAsNewEntity" : false, +
"containerId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "353da209-dfb3-40e8-b7da-380865750852" +
} ], +
"copyCollapse" : false, +
"templateMustExists" : true, +
"forceOverride" : false, +
"shouldBeLogged" : true, +
"executionReason" : "REGULAR_FLOW", +
"transactionScopeOption" : "Required", +
"sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined" +
}
{ +
"@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+
"commandId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942" +
} ], +
"parametersCurrentUser" : { +
"groupIds" : "00000000-0000-0000-0000-000000000000", +
"userName" : "yair_group_member", +
"userId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" +
} ], +
"domainControler" : "qa.lab.tlv.redhat.com", +
"groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", +
"firstName" : "yair_group_member", +
"surName" : null, +
"admin" : true +
}, +
"compensationEnabled" : false, +
"parentCommand" : "Unknown", +
"commandType" : "ExportVm", +
"multipleAction" : true, +
"entityInfo" : { +
"type" : "VM", +
"id" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "353da209-dfb3-40e8-b7da-380865750852" +
} ] +
}, +
"taskGroupSuccess" : true, +
"vdsmTaskIds" : null, +
"executionIndex" : 0, +
"correlationId" : "49fd614d", +
"jobId" : null, +
"stepId" : null, +
"vdsId" : null, +
"storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "00000000-0000-0000-0000-000000000000" +
} ], +
"forceDelete" : false, +
"storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33" +
} ], +
"isInternal" : false, +
"quotaId" : null, +
"imageToDestinationDomainMap" : null, +
"importAsNewEntity" : false, +
"containerId" : [ "org.ovirt.engine.core.compat.Guid", { +
"uuid" : "353da209-dfb3-40e8-b7da-380865750852" +
} ], +
"copyCollapse" : false, +
"templateMustExists" : true, +
"forceOverride" : false, +
"shouldBeLogged" : true, +
"executionReason" : "REGULAR_FLOW", +
"transactionScopeOption" : "Required", +
"sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined" +
}
Did you do the export VM through the webadmin or RestAPI ? Webadmin Created attachment 814911 [details]
Engine answer file
Created attachment 814913 [details]
Kickstart EL6 (C6.4)
Did a clean install in an isolated env with the same results. There are only 2 things that might differ from other installs: 1. selinux off by default 2. firewall off by default Steps to reproduce: 1. Kickstart VM for engine (see attached ks file) 2. engine-setup --config-append=engine-answers.txt 3. engine-manage-domains -action=add -provider=ActiveDirectory \ -domain=testdom.local -user=ovirt -passwordFile=passwd.txt 4. Restart engine, login to webadmin as admin and grant rights to a domain user 5. Add host 6. Create VM with preallocated disk and check async_tasks table during disk creation Moving target release to 3.3.2 since it's not fixed in 3.3.1 and not considered blocking. Re-targeting to 3.3.3 since the bug is not resolved in 3.3.2 beta and is not blocking 3.3.2 release tracker (bug #1027349) This is a 3.3 only issue, the problem has been fixed by directory refactoring in current master (3.4) Closing as 3.3.3 has been released. |