Bug 1128929
| Summary: | unable to use encoded property in rhq-server.property | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Operations Network | Reporter: | Viet Nguyen <vnguyen> |
| Component: | Installer | Assignee: | Stefan Negrea <snegrea> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viet Nguyen <vnguyen> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | JON 3.3.0 | CC: | hrupp, jshaughn, snegrea, spinder, vnguyen |
| Target Milestone: | ER02 | ||
| Target Release: | JON 3.3.0 | ||
| Hardware: | x86_64 | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-17 13:47:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1070262 | ||
Is "rhq.server.database.**user-name**" a typo above? I do not think that encoded usernames are supported, only the passwords. JON3-40 only talks about passwords not user names. Also Bug 1022289 (GEN-001) only talks about passwords. And then from using rhq-encode-password, I get the impression that using the form with RESTRICTED in it (like above) is not right for the db-password: snert:rhq-server hrupp$ bin/rhq-encode-password.sh 10:21:48,950 INFO [org.jboss.modules] JBoss Modules version 1.3.0.Final-redhat-2 Password: rhqadmin Property rhq.autoinstall.server.admin.password [y/n]: n Property rhq.server.database.password [y/n]: y 10:22:01,529 INFO [org.rhq.enterprise.server.installer.Installer] *** Encoded password for rhq-server.properties: 10:22:01,529 INFO [org.rhq.enterprise.server.installer.Installer] *** rhq.server.database.password=1eeb2f255e832171df8592078de921bc Perhaps I misinterpreted the scope of the feature - the ability to encode arbitrary properties. The wiki describes a broader scope ie "protect sensitive server+agent configuration" https://docs.jboss.org/author/display/RHQ/Protect+Sensitive+Server+And+Agent+Configuration I agree that the wiki page is confusing. It seems to indicate that lots of things can be encoded when actually only a strict set of values can be, only the ones that need to be for security reasons. At this point the only two I know of that can be preset in the rhq-server.properties are the RDB password and the rhqadmin superuser password. If not encoded and set there in advance, rhqctl will prompt for plain-text values to be entered interactively. There are several other passwords set in the rhq-server.properties file, but they are internal (not user-provided) and generated by us at install-time. I'm asking Stefan to perhaps re-visit that wiki page, but this is not any sort of coding bug. This is a bug. I need to investigate why the username is not properly decoded at retrieval. The feature was extended to any arbitrary properties (with a few noted exceptions) because it was free (no additional coding needed).
Master commit 9d3a214da79e48fcad8053b8ee879f05a420862e
Author: Stefan Negrea <snegrea>
Date: Tue Aug 26 12:41:22 2014 -0500
[BZ 1128929] Update verbiage to clarify what files need to be updated.
Master commit 269d0566850de6617b185b030df22e4d906b21b8
Author: Stefan Negrea <snegrea>
Date: Tue Aug 26 14:44:54 2014 -0500
[BZ 1128929] One more revision to clarify that the encode utility can
------------
Release/jon3.3.x commit 864403d041e10d9e08c31bbb3d30565f7341f98d
Author: Stefan Negrea <snegrea>
Date: Tue Aug 26 12:41:22 2014 -0500
(cherry picked from commit 9d3a214da79e48fcad8053b8ee879f05a420862e)
Signed-off-by: Jay Shaughnessy <jshaughn>
Release/jon3.3.x commit ff5484fbd5325ce90b9c08bbbcdc53c03c5a299e
Author: Stefan Negrea <snegrea>
Date: Tue Aug 26 14:44:54 2014 -0500
(cherry picked from commit 269d0566850de6617b185b030df22e4d906b21b8)
Signed-off-by: Jay Shaughnessy <jshaughn>
After further investigation, this is not a bug. The obfuscated property from rhq-server.properties is used in two place in standalone-full.xml. When a property from rhq-server.properties is used in the container configuration file, the restricted format needs to be applied in both configuration files. By obfuscating just the property in rhq-server.properties, the container configuration was broken. This detail was not mentioned in the initial documentation or the output of the obfuscation tool. I updated the wiki with clarifications and examples; I also updated the obfuscation tool with a note regarding this. Also, to reduce confusion the tool for obsfucation was renamed from rhq-encode-password.[sh|bat] to rhq-encode-value.[sh|bat]. This will make it clear that it can be used now to encode property value not just passwords. Will retest in next build Moving to ON_QA as available for test with the following brew build: https://brewweb.devel.redhat.com//buildinfo?buildID=381194 Summary: The new encode tool name is rhq-encode-value.sh instead of rhq-encode-password.sh(changed in ER02 after DR01 which is initial version reported against). Retest this BZ with that clarification. Leaving this ON_QA. Detailed: After some investigation and looking at https://bugzilla.redhat.com/show_bug.cgi?id=1128929#c1 and https://bugzilla.redhat.com/show_bug.cgi?id=1128929#c6 it looks like the confusion comes from the fact that the encode tool's name was changed and the documentation did not clarify the change. ### See the following listing of the encode tool for ER0* [spinder@fulliautomatix jon]$ ls -al jon-3.3.0.ER0*/jon-server-3.3.0.ER0*/bin/rhq-encode-*.sh -rwxr-xr-x. 1 spinder spinder 1310 Aug 19 15:21 jon-3.3.0.ER01/jon-server-3.3.0.ER01/bin/rhq-encode-password.sh -rwxr-xr-x. 1 spinder spinder 1307 Sep 2 13:03 jon-3.3.0.ER02/jon-server-3.3.0.ER02/bin/rhq-encode-value.sh -rwxr-xr-x. 1 spinder spinder 1639 Sep 16 14:38 jon-3.3.0.ER03/jon-server-3.3.0.ER03/bin/rhq-encode-value.sh Productized builds did pick up the old and new scripts as expected. Leaving this ON_QA. |
Description of problem: I was hoping to use encoded db user name in rhq-server.properties # encoded value for 'rhqadmin' rhq.server.database.user-name=RESTRICTED::1eeb2f255e832171df8592078de921bc The server failed to start due to password authentication error. It seemed encoded value is being used as is without decoding. server.log --- at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) [rt.jar:1.7.0_65] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_65] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65] Caused by: org.postgresql.util.PSQLException: FATAL: password authentication failed for user "RESTRICTED::1eeb2f255e832171df8592078de921bc" at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:398) at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:173) at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64) at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136) Version-Release number of selected component (if applicable): 3.3.DR01 How reproducible: 100% Steps to Reproduce: 1. Perform basic installation (rhqctl install --server --storage) 2. Replace rhqadmin with encoded value rhq.server.database.user-name=RESTRICTED::1eeb2f255e832171df8592078de921bc 3. start server Actual results: server failed to start Expected results: server should be able to use encoded value for db property Additional info: