Bug 1366795

Summary: Build Logs Proxy Usernames and Passwords that might be sensitive
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: ImageStreamsAssignee: Ben Parees <bparees>
Status: CLOSED ERRATA QA Contact: Wang Haoran <haowang>
Severity: low Docs Contact:
Priority: low    
Version: 3.2.1CC: aos-bugs, bparees, dmoessne, dyan, hhorak, jokerman, mbarrett, mmccomas, smunilla, stwalter, vwalek
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Proxy values are logged during builds. Consequence: Proxy values that contain user credentials are exposed to anyone who can view build logs. Fix: Credentials that are part of proxy values(e.g. http://user:password@proxy.com) will be redacted from the proxy value being logged. Result: Proxy credentials will no longer be exposed in build logs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 05:15:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Rich 2016-08-12 20:43:01 UTC 
Description of problem:

The build log for the project contains the proxy username and password.  Some administrators may not want all of the users of the OpenShift system to have easy access to the proxy username and password. 

Version-Release number of selected component (if applicable): 3.2
How reproducible: 100% 

Steps to Reproduce:
1.set the proxy variables according to https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#advanced-install-configuring-global-proxy.  
2. I created a project then created a new application based on template. 
3. Review Build Logs 

Actual results:

I0811 20:55:36.204801       1 docker.go:599] Creating container with options {Name:"" Config:&{Hostname: Domainname: User: Memory:0 MemorySwap:0 MemoryReservation:0 KernelMemory:0 CPUShares:0 CPUSet: AttachStdin:false AttachStdout:true AttachStderr:false PortSpecs:[] ExposedPorts:map[] StopSignal: Tty:false OpenStdin:true StdinOnce:true Env:[OPENSHIFT_BUILD_NAME=nodejs-example-1 OPENSHIFT_BUILD_NAMESPACE=brrichin OPENSHIFT_BUILD_SOURCE=https://github.com/openshift/nodejs-ex.git NPM_MIRROR= HTTP_PROXY=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 HTTPS_PROXY=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 NO_PROXY=.cluster.local,example.com,lpv-webosesbx09.co.example.com http_proxy=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 https_proxy=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 no_proxy=.cluster.local,example.com,lpv-webosesbx09.co.example.com] Cmd:[/bin/sh -c tar -C /tmp -xf - && /usr/libexec/s2i/assemble] DNS:[] Image:registry.access.redhat.com/openshift3/nodejs-010-rhel7:latest Volumes:map[] VolumeDriver: VolumesFrom: WorkingDir: MacAddress: Entrypoint:[] NetworkDisabled:false SecurityOpts:[] OnBuild:[] Mounts:[] Labels:map[]} HostConfig:&{Binds:[] CapAdd:[] CapDrop:[KILL MKNOD SETGID SETUID SYS_CHROOT] GroupAdd:[] ContainerIDFile: LxcConf:[] Privileged:false PortBindings:map[] Links:[] PublishAllPorts:false DNS:[] DNSOptions:[] DNSSearch:[] ExtraHosts:[] VolumesFrom:[] NetworkMode:container:3c356149eefcdb2be6cd70fa5fb6ae218edcad354280b91eaff69f6c6bef1874 IpcMode: PidMode: UTSMode: RestartPolicy:{Name: MaximumRetryCount:0} Devices:[] LogConfig:{Type: Config:map[]} ReadonlyRootfs:false SecurityOpt:[] CgroupParent: Memory:92233720368547 MemorySwap:92233720368547 MemorySwappiness:0 OOMKillDisable:false CPUShares:2 CPUSet: CPUSetCPUs: CPUSetMEMs: CPUQuota:-1 CPUPeriod:100000 BlkioWeight:0 Ulimits:[] VolumeDriver: OomScoreAdj:0}} ...
I0811 20:55:36.514630       1 docker.go:622] Attaching to container "66d045be7eb34b5ac974fa28e7da241f425b0ff814ecd929374871209180381f" ...
I0811 20:55:36.514762       1 docker.go:631] Starting container "66d045be7eb34b5ac974fa28e7da241f425b0ff814ecd929374871209180381f" ...
---> Installing application source ...
---> Setting npm http proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Setting npm http proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Setting npm https proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Setting npm https proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Building your Node application from source

Expected results:

That the username and password be obfuscated. 

Additional info:
Comment 1 Ben Parees 2016-08-12 20:47:13 UTC 
if you have access to the build, you have access to the proxy configuration, whether via logs or just looking at the build pod definition, it's not possible to hide that information.
Comment 5 Ben Parees 2017-03-03 14:44:42 UTC 
*** Bug 1428476 has been marked as a duplicate of this bug. ***
Comment 14 Ben Parees 2017-04-12 19:08:21 UTC 
changes to s2i are here:
https://github.com/openshift/source-to-image/pull/721

will need to bump into origin and probably make additional changes in origin to complete this.
Comment 15 Ben Parees 2017-04-13 02:55:27 UTC 
PR for origin: https://github.com/openshift/origin/pull/13751
Comment 17 Dongbo Yan 2017-06-05 07:13:49 UTC 
Verified
openshift v3.6.88
kubernetes v1.6.1+5115d708d7

# oc new-build openshift/nodejs:4\~https://github.com/openshift/nodejs-ex -e http_proxy\=http://user:passwd@172.30.207.77:3128 -e https_proxy\=http://user:passwd@172.30.207.77:3128 -e HTTP_PROXY\=http://user:passwd@172.30.207.77:3128 -e HTTPS_PROXY\=http://user:passwd@172.30.207.77:3128

# oc logs -f bc/nodejs-ex
Cloning "https://github.com/openshift/nodejs-ex" ...
	Commit:	3d44de3ba8fef0b2baca4ddd001c0db286ea4cd3 (Merge pull request #117 from openshift/revert-112-revert-111-nodejs6)
	Author:	Ben Parees <bparees.github.com>
	Date:	Tue May 23 15:54:29 2017 -0400
Using HTTP proxy http://redacted@172.30.207.77:3128 and HTTPS proxy http://redacted@172.30.207.77:3128 for script download

doesn't show user and password in build log, so move to verified

But like comment13 mentioned, should also update language images, otherwise it will still show proxy user and password
Comment 18 Dongbo Yan 2017-07-06 08:15:15 UTC 
Hi, Honza
please check comment13
Comment 20 errata-xmlrpc 2017-08-10 05:15:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716