Bug 1325943
| Summary: | [RFE] sosreport does not contain domain specific information for keystone | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Darin Sorrentino <dsorrent> |
| Component: | sos | Assignee: | Pavel Moravec <pmoravec> |
| Status: | CLOSED ERRATA | QA Contact: | Miroslav HradĂlek <mhradile> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | agk, bmr, dsorrent, gavin, lyarwood, mburns, mhradile, plambri, sbradley |
| Target Milestone: | rc | Keywords: | FutureFeature, OtherQA |
| Target Release: | 7.5 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | https://github.com/sosreport/sos/pull/1086 | ||
| Whiteboard: | |||
| Fixed In Version: | sos-3.5-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 18:00:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Darin Sorrentino
2016-04-11 13:10:30 UTC
Does the 'openstack-config' command also support a '--get'? We'll need something like this to retrieve the value of domain_config_dir - plugins are not in the business of parsing the configuration data of other components. (In reply to Bryn M. Reeves from comment #2) > Does the 'openstack-config' command also support a '--get'? Yes it does, it's just a wrapper around crudini really. > We'll need something like this to retrieve the value of domain_config_dir - > plugins are not in the business of parsing the configuration data of other > components. Yeah understood, I'll take a swing at this upstream shortly. So the change should be:
- in openstack_keystone sos plugin?
- with pseudocode like:
dir=$(openstack-config --get /etc/keystone/keystone.conf domain_config_dir)
if [ $dir ]; then
copy whole $dir directory
obfuscate LDAP plaintext passwords in the dir
fi
Is that correct?
Two technical questions:
- what is the openstack-config --get output in either case (variable set, variable not set)? Required for proper parsing the output
- what's the string identifying LDAP password? Or ideally, can you provide regexp searching for it and replacing by series of '*' ?
Example:
self.do_path_regex_sub(directory,
r"(AuthLDAPBindPassword)\s*(.*)",
r"\1********")
Sorry, I read this comment a while ago and didn't realize it was to me... (In reply to Pavel Moravec from comment #4) > So the change should be: > > - in openstack_keystone sos plugin? I am not sure as I am not familiar with the SOS report plugin architecture? > > - with pseudocode like: > > dir=$(openstack-config --get /etc/keystone/keystone.conf domain_config_dir) > if [ $dir ]; then > copy whole $dir directory > obfuscate LDAP plaintext passwords in the dir > fi > > Is that correct? > You still need to pass the section name when doing the get as far as I know. I'd also confirm it's existence in the if statement to prevent against user error. So it would be: dir=$(openstack-config --get /etc/keystone/keystone.conf identity domain_config_dir) if [ -d $dir ]; then copy whole $dir directory obfuscate LDAP plaintext passwords in the dir fi > > Two technical questions: > - what is the openstack-config --get output in either case (variable set, > variable not set)? Required for proper parsing the output If it's not set, it is null: [root@overcloud-controller-1 keystone]# export dir=$(openstack-config --get /etc/keystone/keystone.conf identity domain_config_dir) Parameter not found: domain_config_dir [root@overcloud-controller-1 keystone]# echo ">$dir<" >< [root@overcloud-controller-1 keystone]# > > - what's the string identifying LDAP password? Or ideally, can you provide > regexp searching for it and replacing by series of '*' ? > > Example: > > self.do_path_regex_sub(directory, > r"(AuthLDAPBindPassword)\s*(.*)", > r"\1********") self.do_path_regex_sub(directory, r"^\s*(password)\s*=\s*(.*)", r"\1********") I'm not a programmer but based on your example, I think it would look like: self.do_path_regex_sub(directory, r"^\s*(password)\s*=\s*(.*)", r"\1********") You can copy the example from section 4b here to test it: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_openstack_platform/7/html-single/integrate_with_identity_service/#configure_the_controller_2 (In reply to Darin Sorrentino from comment #6) > Sorry, I read this comment a while ago and didn't realize it was to me... > > (In reply to Pavel Moravec from comment #4) > > So the change should be: > > > > - in openstack_keystone sos plugin? > > I am not sure as I am not familiar with the SOS report plugin architecture? > No problem. I meant by that question how to identify systems where the new commands shall be run - roughly saying "only on OpenStack Keystone server", technically on any system with either package: 'openstack-keystone', 'python-keystone', 'python-django-openstack-auth', 'python-keystoneclient' installed. (presence of either of those packages automatically triggers execution of openstack_keystone plugin, so this plugin shall contain the commands). Thanks for answers, I will work on patch later on. We are behind 7.4 schedule so this shall go to 7.5 by default. Upstream PR: https://github.com/sosreport/sos/pull/1086 It would be great to pre-verify it (incl. password obfuscation) if possible. Fixed via sos 3.5 rebase. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0963 |