Bug 1331556

Summary: Detect Undercloud logs cleartext undercloud password to production.log
Product: Red Hat Quickstart Cloud Installer Reporter: Tasos Papaioannou <tpapaioa>
Component: fusor-serverAssignee: Derek Whatley <dwhatley>
Status: CLOSED ERRATA QA Contact: Tasos Papaioannou <tpapaioa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0CC: dwhatley, jmatthew
Target Milestone: gaKeywords: Triaged
Target Release: 1.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-13 16:28:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1342594    

Description Tasos Papaioannou 2016-04-28 19:24:19 UTC 
Description of problem:

Detect Undercloud logs the undercloud's SSH password in cleartext to /var/log/foreman/production.log, e.g.,

2016-04-28 15:21:26 [I] Connecting to database specified by database.yml
2016-04-28 15:21:26 [I] Processing by Fusor::Api::Openstack::UndercloudsController#create as JSON
2016-04-28 15:21:26 [I]   Parameters: {"underhost"=>"192.0.2.254", "underuser"=>"root", "underpass"=>"changeme", "deployment_id"=>"2", "undercloud"=>{"underhost"=>"192.0.2.254", "underuser"=>"root", "underpass"=>"changeme", "deployment_id"=>"2"}}
2016-04-28 15:21:27 [I] Completed 200 OK in 698ms (Views: 30.9ms | ActiveRecord: 35.6ms)


Version-Release number of selected component (if applicable):

QCI-1.1-RHEL-7-20160428.t.0

How reproducible:

100%

Steps to Reproduce:
1.) Enter ssh credentials for undercloud on Detect Undercloud tab.
2.) See the password logged in /var/log/foreman/production.log.

Actual results:

Cleartext password logged in production.log

Expected results:

Password not logged in production.log.

Additional info:
Comment 1 Derek Whatley 2016-07-12 20:32:37 UTC 
I'm thinking this can be resolved by changing the key names to include the substring "password" rather than "pass" due to the filtering settings currently in place.

underpass => undercloud_password
underuser => undercloud_user
Comment 2 Derek Whatley 2016-07-14 21:26:27 UTC 
PR at https://github.com/fusor/fusor/pull/1042
Comment 3 Derek Whatley 2016-07-20 13:21:08 UTC 
PR 1042 has been merged.
Comment 5 John Matthews 2016-07-20 22:47:01 UTC 
QCI-1.2-RHEL-7-20160720.t.0-QCI-x86_64-dvd1.iso
Comment 9 Tasos Papaioannou 2016-07-22 18:32:50 UTC 
Verified on QCI-1.2-RHEL-7-20160720.t.0:

----
2016-07-22 10:58:11 [app] [I] Started POST "/fusor/api/openstack/deployments/1/underclouds" for 10.13.57.116 at 2016-07-22 10:58:11 -0400
2016-07-22 10:58:11 [app] [I] Processing by Fusor::Api::Openstack::UndercloudsController#create as JSON
2016-07-22 10:58:11 [app] [I]   Parameters: {"undercloud_host"=>"192.168.101.1", "undercloud_user"=>"root", "undercloud_password"=>"[FILTERED]", "deployment_id"=>"1", "undercloud"=>{"undercloud_host"=>"192.168.1
01.1", "undercloud_user"=>"root", "undercloud_password"=>"[FILTERED]", "deployment_id"=>"1"}}
2016-07-22 10:58:12 [app] [I] Completed 200 OK in 604ms (Views: 9.6ms | ActiveRecord: 35.8ms)
----
Comment 11 errata-xmlrpc 2016-09-13 16:28:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2016:1862