Bug 1358063

Summary: beaker-provision logs leak power passwords in fence agent output
Product: [Retired] Beaker Reporter: Dan Callaghan <dcallagh>
Component: lab controllerAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dcallagh, dowang, mjia, rjoost
Target Milestone: 24.0Keywords: FutureFeature, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-21 18:50:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Callaghan 2016-07-20 00:37:50 UTC 
Some/all of the fence agents, when run in --verbose mode which we use when invoking them, will print output that includes the password passed to the BMC.

For example fence_ipmilan will print output like this:

Executing: /usr/bin/ipmitool -I lanplus -H example.com -U user -P thepassword -p 623 -L ADMINISTRATOR chassis power stat

If the power command fails, beaker-provision logs this output as part of the failure so that the administrator has a better chance of figuring out what went wrong. But as a result the passwords end up leaked in /var/log/beaker/provision.log.

Similar to bug 986108 (which censors passwords in the repr() of the power commands) beaker-provision should censor any instance of the password which appears in the power script's output, before it logs it and reports it back to Beaker.
Comment 1 Dan Callaghan 2016-08-08 06:04:20 UTC 
While writing a test case for this I hit long-standing bug 968715: we don't store anywhere near the complete failure message when power commands fail. All I get in my test case is:

ValueError: Power script /home/dcallagh/work/beaker/LabContr

so I'd like to fix that up (perhaps via bug 1318524) for this one.
Comment 2 Dan Callaghan 2016-09-05 01:31:05 UTC 
http://gerrit.beaker-project.org/5186
Comment 3 Dan Callaghan 2016-09-05 04:59:11 UTC 
Plus matching change for dogfood: https://gerrit.beaker-project.org/5191
Comment 6 Dan Callaghan 2017-02-21 18:50:54 UTC 
Beaker 24.0 has been released.