Bug 1141181

Summary: rhq.autoinstall.server.admin.password should not be in clear text in console
Product: [JBoss] JBoss Operations Network Reporter: Jeeva Kandasamy <jkandasa>
Component: InstallerAssignee: John Mazzitelli <mazz>
Status: CLOSED CURRENTRELEASE QA Contact: Jeeva Kandasamy <jkandasa>
Severity: high Docs Contact:
Priority: unspecified    
Version: JON 3.3.0CC: jcosta, jkandasa, jshaughn, mazz
Target Milestone: ER04   
Target Release: JON 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 14:02:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1129413    

Description Jeeva Kandasamy 2014-09-12 11:50:48 UTC 
Description of problem:
Fresh JON installation asks rhq.autoinstall.server.admin.password on console. Password is visible while typing as well it confirming with clear text on console. Which is stored in encrypted format in rhq-server.properties

----------
[hudson@jeeva-ha3-jxc bin]$ ./rhqctl install
06:58:16,537 INFO  [org.jboss.modules] JBoss Modules version 1.3.3.Final-redhat-1

The [rhq.autoinstall.server.admin.password] property is required but not set in [rhq-server.properties].
Do you want to set [rhq.autoinstall.server.admin.password] value now?
yes|no: yes
rhq.autoinstall.server.admin.password: rhqadmin
Is [rhqadmin] correct?
yes|no:
----------

Version-Release number of selected component (if applicable):
JBoss Operations Network
Version : 3.3.0.ER02
Build Number : 4fbb183:7da54e2
GWT Version : 2.5.0
SmartGWT Version : 3.0p

How reproducible:
always

Steps to Reproduce:
1. leave blank 'rhq.autoinstall.server.admin.password' in rhq-server.properties file
2. execute './rhqctl'
Comment 1 Juraci Paixão Kröhling 2014-09-17 15:19:25 UTC 
Jeeva, this is actually working as designed: the password is typed into the installer's console, which doesn't keeps a history. So, unless there's some aspect that I'm missing, I'd suggest to close this as "not a bug".
Comment 2 Jeeva Kandasamy 2014-09-18 05:56:45 UTC 
In JBoss while adding password (ex: user password) via console it is not visible. What I feel is, it will be good if 'JBoss ON' also have similar approach as it's in JBoss family.
Comment 4 John Mazzitelli 2014-09-18 17:54:04 UTC 
I'm going to try to fix this.
Comment 5 John Mazzitelli 2014-09-18 20:53:29 UTC 
commit 07151ddb23e6065d5a72ae900b1cbf420b00e27c
Author: John Mazzitelli <mazz>
Date:   Thu Sep 18 16:51:51 2014 -0400

    BZ 1141181 1129413 - don't echo passwords to the console. ask to confirm passwords
Comment 6 John Mazzitelli 2014-09-18 20:55:37 UTC 
commit b5b0e2d18e33b921f4bf57454179efd1707f1a9f
Author: John Mazzitelli <mazz>
Date:   Thu Sep 18 16:51:51 2014 -0400

    BZ 1141181 1129413 - don't echo passwords to the console. ask to confirm passwords
    (cherry picked from commit 07151ddb23e6065d5a72ae900b1cbf420b00e27c)
Comment 7 Simeon Pinder 2014-10-01 21:33:25 UTC 
Moving to ON_QA as available for test with build:
https://brewweb.devel.redhat.com/buildinfo?buildID=388959
Comment 8 Jeeva Kandasamy 2014-10-07 11:34:54 UTC 
Version:
Version : 3.3.0.ER04
Build Number : 99d2107:d7c537e
GWT Version : 2.5.0
SmartGWT Version : 3.0p

Password invisible as expected. but if we enter different password and confirm password should report error message BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1150064