| Summary: | Do not print username and password to screen during sh foreman_server.sh | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | james labocki <jlabocki> |
| Component: | openstack-foreman-installer | Assignee: | Jason Guiditta <jguiditt> |
| Status: | CLOSED ERRATA | QA Contact: | Omri Hochman <ohochman> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.0 | CC: | ajeain, breeler, dcleal, hateya, jguiditt, jstransk, lsurette, morazi, rhos-maint, yeylon |
| Target Milestone: | rc | ||
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-foreman-installer-0.0.23-1.el6ost | Doc Type: | Known Issue |
| Doc Text: |
The foreman-installer prints a known default user name and password to the console. As a result, because openstack-foreman-installer makes use of foreman-installer, a default user name and password are used, which get printed to the console when running openstack-foreman-installer.
Workaround: You must change the password right after openstack-foreman-installer finishes (the installer prints a link to a page where the password can be changed).
This replaces the password with an new (hidden) one, and anyone attempting to use the displayed password will not have access.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-20 00:37:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1039278 | ||
|
Description
james labocki
2013-11-21 17:40:47 UTC
James - I think I missed the point of this bug. Are we suggesting that this will be in the documentation only? I think it's nice to include the URL to the UI along with the default username and password for users who are just getting started. Is it a security concern? I know there are notices saying that this password should be changed for security reasons if the environment will be kept up and running. Just curious to hear more details. This happens "by accident" as a consequence of a workaround we added for RHOS 3 (the resetting of the default user account) as there was a bug at the time (RC version of Foreman). However the upstream Foreman installer - when not used via foreman_server.sh - will do this and does print the URL to the UI: Success! * Foreman is running at https://foreman.example.com Default credentials are 'admin:changeme' * Foreman Proxy is running at https://foreman.example.com:8443 * Puppetmaster is running at port 8140 The full log is at /var/log/foreman-installer/foreman-installer.log Regarding the security aspect, we're addressing that via bug #979241. I'd recommend we: - remove the admin account reset, it's not required and could actually reset an existing install - add a message like the Foreman installer itself does pointing to the UI, but keep the default password printing to the screen as long as it's a well known one (per Kurt's comment in the other BZ) - review once bug #979241 is implemented I submitted an upstream pull request with the temporary solution as Dominic suggested. https://github.com/redhat-openstack/astapor/pull/55 Complete resolution is tied to bug #979241 as he pointed out, so i'd say we need to synchronize the Target Release of these two bugs. Merged upstream This doc text looks reasonable to me, is anything further needed here? Hi Jason, nope that was all, just wanted to ensure I had interpreted the original doc text correctly. Thanks. verified: checked that /usr/share/openstack-foreman-installer/bin/foreman_server.sh has the code changes specified in https://github.com/redhat-openstack/astapor/commit/f1b0f8e8f5d71d36b50b4bf6988e1e4fe3504196. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |