Bug 1240667

Summary: openstack_neutron does not obscure passwords, secrets etc.
Product: Red Hat OpenStack Reporter: Lee Yarwood <lyarwood>
Component: sosAssignee: Lee Yarwood <lyarwood>
Status: CLOSED ERRATA QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: agk, akaiser, bmr, gavin, jherrman, jkulina, jschluet, oblaut, pkshiras, plambri, pmoravec, qe-baseos-apps, sbradley, yeylon
Target Milestone: ga   
Target Release: 7.0 (Kilo)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sos-3.2-16.el7ost.2 Doc Type: Bug Fix
Doc Text:
Previously, various OpenStack plug-ins for the sosreport utility were incorrectly collecting passwords in plain text. As a consequence, the compressed file created after using sosreport could contain human-readable passwords. This update adds obfuscation of all passwords to sosreport OpenStack plug-ins, and the affected passwords in the sosreport tarball are no longer human-readable.
 Story Points: ---
Clone Of: 1240666 Environment:
Last Closed: 2015-08-05 13:29:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1240666    
Bug Blocks:    

Description Lee Yarwood 2015-07-07 13:06:37 UTC 
+++ This bug was initially created as a clone of Bug #1240666 +++

Description of problem:
openstack_neutron does not obscure passwords, secrets etc.

# grep ^rabbit_password etc/neutron/neutron.conf 
rabbit_password = d873fe7e27346b7191887fd890504787b618f227

Version-Release number of selected component (if applicable):
sos-3.2-15.el7_1.1.noarch

How reproducible:
Always

Steps to Reproduce:
1. # sosreport -o openstack_neutron

Actual results:
/etc/neutron config files collected with passwords and secrects still present.

Expected results:
/etc/neutron config files collected with passwords and secrects obscured.

Additional info:
Comment 5 Ofer Blaut 2015-07-19 11:26:31 UTC 
[root@overcloud-controller-2 neutron]# cat neutron.conf | grep pas
# api_paste_config = api-paste.ini
# used unless passed explicitly to subnet create.  If no pool is used, then a
# CIDR must be passed to create a subnet and that subnet will not be allocated
# nova_admin_password =
# qpid_password=
# The RabbitMQ password. (string value)
# rabbit_password=guest
# If passed, use a fake RabbitMQ provider. (boolean value)
# password=
admin_password = *********
# connection = mysql://root:pass.0.1:3306/neutron
# Deprecated group/name - [amqp1]/ssl_key_password
# ssl_key_password =
# Deprecated group/name - [DEFAULT]/qpid_password
# qpid_password =
# The RabbitMQ password. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_password
# rabbit_password = guest
rabbit_password = *********
[root@overcloud-controller-2 neutron]# rpm -qa | grep sos
sos-3.2-16.el7ost.2.noarch
Comment 7 errata-xmlrpc 2015-08-05 13:29:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548