Bug 1332892

Summary: Automatic provisioning of engine db keeps password in answer file if dwh is installed
Product: [oVirt] ovirt-engine-dwh Reporter: Yedidyah Bar David <didi>
Component: SetupAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Lukas Svaty <lsvaty>
Severity: high Docs Contact:
Priority: medium    
Version: 3.6.5CC: bugs, pstehlik, sbonazzo, sradco, ylavi
Target Milestone: ovirt-4.1.0-alphaKeywords: ZStream
Target Release: 4.1.0Flags: rule-engine: ovirt-4.1+
rule-engine: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1133621
: 1351668 (view as bug list) Environment:
Last Closed: 2017-02-01 14:44:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1351668, 1361536, 1390631    

Description Yedidyah Bar David 2016-05-04 10:02:33 UTC 
+++ This bug was initially created as a clone of Bug #1133621 +++

Description of problem:
[ INFO  ] Stage: Misc configuration
[ INFO  ] Creating Engine database schema
[ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/dbscripts/create_schema.sh' failed to execute
[ INFO  ] Yum Performing yum transaction rollback
[ INFO  ] Rolling back database schema
[ INFO  ] Clearing Engine database engine
[ ERROR ] Engine database rollback failed: FATAL:  password authentication failed for user "engine" FATAL:  password authentication failed for user "engine" 

Version-Release number of selected component (if applicable):
av11.1

How reproducible:
100%, automatically and manually

Steps to Reproduce:
1. rhevm-setup --config-append=working 
2. rhevm-cleanup --config-append=cleanup 
3. rhevm-setup --config-append=setup 

Actual results:


Expected results:


Additional info:
Found by automated testing, probably introduced with av11.1

--- Additional comment from Petr Beňas on 2014-08-25 18:05:48 IDT ---



--- Additional comment from Petr Beňas on 2014-08-25 18:06:11 IDT ---



--- Additional comment from Petr Beňas on 2014-08-25 18:07:04 IDT ---



--- Additional comment from Petr Beňas on 2014-08-25 18:08:03 IDT ---

[root@localhost ~]# tail /var/lib/pgsql/data/pg_hba.conf
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD

# "local" is for Unix domain socket connections only
local   all         all                               ident
host    engine          engine          0.0.0.0/0               md5
host    engine          engine          ::0/0                   md5
# IPv4 local connections:
host    all         all         127.0.0.1/32          ident
# IPv6 local connections:
host    all         all         ::1/128               ident

--- Additional comment from Petr Beňas on 2014-08-25 19:26:11 IDT ---

Found simplier reproducing vector: 

[ INFO  ] Execution of setup completed successfully
[root@localhost ~]# export PGPASSWORD=123456; psql -d engine -U engine -h localhost -t -A -c '--'
psql: FATAL:  password authentication failed for user "engine"
[root@localhost ~]# history | tail -n 5
    5  2014-08-25 18:19:22 hostname
    6  2014-08-25 18:19:32 vim working 
    7  2014-08-25 18:19:53 rhevm-setup --config-append=working 
    8  2014-08-25 18:24:16 export PGPASSWORD=123456; psql -d engine -U engine -h localhost -t -A -c '--'
    9  2014-08-25 18:24:51 history | tail -n 5

--- Additional comment from David Caro on 2014-08-25 20:10:40 IDT ---

The bug is actually that setting the postgres provisioning to true, generates the database password even if it was specified in the answerfile, changing the option:

OVESETUP_PROVISIONING/postgresProvisioningEnabled=bool:True

to

OVESETUP_PROVISIONING/postgresProvisioningEnabled=bool:False

in the first setup answerfile works as expected.

--- Additional comment from Petr Beňas on 2014-08-26 11:07:34 IDT ---

I don't see any change in behaviour when trying postgresProvisioning set to False....

http://jenkins.qa.lab.tlv.redhat.com:8080/view/RhevmCore/view/3.4-All/job/3.4-git-rhevmCore-infra_tools_setup/29/console

--- Additional comment from Petr Beňas on 2014-08-26 13:42:09 IDT ---

Tried manually running on freshly installed system with the OVESETUP_PROVISIONING/postgresProvisioningEnabled=bool:False
and got following result. It looks one would have to create the db manually in such case. 

 INFO  ] Creating Engine database schema
[ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/dbscripts/create_schema.sh' failed to execute
[ INFO  ] Yum Performing yum transaction rollback
[ INFO  ] Rolling back database schema
[ INFO  ] Clearing Engine database engine
[ ERROR ] Engine database rollback failed: could not connect to server: Connection refused      Is the server running on host "localhost" and accepting      TCP/IP connections on port 5432? could not connect to server: Connection refused     Is the server running on host "localhost" and accepting         TCP/IP connections on port 5432? 

So my guess is that if OVESETUP_PROVISIONING/postgresProvisioningEnabled=bool:True is set, the password from answerfile is ignored and new password is generated.

--- Additional comment from Yedidyah Bar David on 2014-09-08 15:10:39 IDT ---

As discussed, we should also refrain from writing to the answer file the randomly-generated password.

This way, mere use of setup-generated answer file will keep the existing behavior (generate a new password), while special cases will still be able to supply their own password even if auto provisioning.

--- Additional comment from Eyal Edri on 2014-09-11 00:29:04 IDT ---

bug fixed in vt3.
if you think it's not included in latest build, please contact rhev-integ

--- Additional comment from Petr Beňas on 2014-09-11 17:58:11 IDT ---

in vt3

--- Additional comment from Yedidyah Bar David on 2014-10-12 12:55:00 IDT ---

Simone - did you check this also on dwh/reports?

--- Additional comment from Simone Tiraboschi on 2014-10-13 10:57:09 IDT ---

(In reply to Yedidyah Bar David from comment #14)
> Simone - did you check this also on dwh/reports?

Engine DB password should now be handled correctly also installing DWH and reports, didn't try what happens with DWH and reports DB password.
I'll check.

--- Additional comment from Yedidyah Bar David on 2014-11-23 09:40:07 IST ---

Perhaps take parts or all of the doctext from the 3.4 clone:

Previously, rhevm-setup with automatic provisioning ignored a database password if one was supplied in the answer file. A new random password was generated and written to the generated answer file. Now, for automatic provisioning, if a password is supplied in the answer file, it is not ignored, and the password is not written to the answer file that is generated at the end.
Comment 1 Yedidyah Bar David 2016-05-04 10:06:34 UTC 
This bug happens because the fix [1] wasn't applied to dwh, which had a copy [2] of the relevant part of the code done before the fix was introduced.

IMO we should stop duplicating such constants with comments "sync with XXX" without any tool/process to actually sync them. Either move all such constants to common packages that all use and do not need to copy, or create some automatic tool to verify that they are indeed synced.

[1] https://gerrit.ovirt.org/#/q/I3fb9d2c10d3809c68430084f6212eaa191d5ca21,n,z
[2] https://gerrit.ovirt.org/27516
Comment 2 Yedidyah Bar David 2016-05-09 05:47:13 UTC 
I'd like to point out that there is no direct security issue here. If a user chooses manual provisioning, and inputs creds, including a password, these creds will be written to the answer file, by design. In the past, the password was always written, but if automatic provisioning was selected, a next run with the generated answer file ignored the password (thus creating a new random one). We then decided to stop ignoring the password, but also do not write it - so that if a user manually edits the answer file to use a specific password, it will be used.

The only security issue is that a user might expect to get a newly-generated random password for each run that uses the generated answer file, which is what happens if it was generated with only the engine installed. If DWH is installed too, the file will include the password, so next runs will create a user with the same password. This is easy to notice, and fix, by deleting the relevant line from the answer file.

I mainly opened this bug as a reminder to do comment 1 above - stop having duplicate constants scattered around. Doing this is likely to solve more unknown bugs, and preventing future ones.
Comment 3 Yaniv Lavi 2016-05-23 13:18:50 UTC 
oVirt 4.0 beta has been released, moving to RC milestone.
Comment 4 Yaniv Lavi 2016-05-23 13:25:54 UTC 
oVirt 4.0 beta has been released, moving to RC milestone.
Comment 5 Yedidyah Bar David 2016-06-09 14:13:53 UTC 
58918 is for reports, pushed it just in case. Fix is in dwh, moving bug there.
Comment 6 Lukas Svaty 2016-07-29 13:47:50 UTC 
tested in ovirt-engine-dwh-setup-4.0.2-1.el7ev.noarch

after engine setup with configured answer file with set up password:

[root@ls-40 ~]# grep pass /var/lib/ovirt-engine/setup/answers/20160729134536-setup.conf
OVESETUP_DWH_DB/password=str:mydbpassword
Comment 7 Red Hat Bugzilla Rules Engine 2016-07-29 13:47:55 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 8 Yedidyah Bar David 2016-08-03 11:03:30 UTC 
(In reply to Lukas Svaty from comment #6)
> tested in ovirt-engine-dwh-setup-4.0.2-1.el7ev.noarch
> 
> after engine setup with configured answer file with set up password:
> 
> [root@ls-40 ~]# grep pass
> /var/lib/ovirt-engine/setup/answers/20160729134536-setup.conf
> OVESETUP_DWH_DB/password=str:mydbpassword

Above is indication for bug 1351668, not for current bug. Current bug is about OVESETUP_DB/password.
Comment 9 Lukas Svaty 2016-08-19 09:11:55 UTC 
removing blocking tracker for 4.0 as this one is on 4.1 target release
Comment 10 Lukas Svaty 2017-01-31 12:51:50 UTC 
verified in ovirt-engine-dwh-setup-4.1.0-1.el7ev.noarch