Bug 1384417

Summary: [TEXT] engine-setup suggests creating remote db users with passwords being the username
Product: [oVirt] ovirt-engine Reporter: Lucie Leistnerova <lleistne>
Component: Setup.EngineAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: bugs, lleistne, oourfali, ylavi
Target Milestone: ovirt-4.1.0-alphaKeywords: Reopened
Target Release: 4.1.0Flags: rule-engine: ovirt-4.1+
rule-engine: planning_ack+
sbonazzo: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 14:38:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Lucie Leistnerova 2016-10-13 09:17:44 UTC 
Description of problem:
When user uses weak password like 'dump', 'Environment', 'engine' for database role or engine admin, in setup log all occurrence (even if it's not a password) are substituted with **FILTERED**.
The password then can be guessed.

based on https://bugzilla.redhat.com/show_bug.cgi?id=1105507#c2

I run into this problem when I wanted to install engine on remote DB server and the engine-setup says

ATTENTION
         
          Manual action required.
          Please create database for ovirt-engine use. Use the following commands as an example:
         
          create role engine with login encrypted password 'engine';

so I copied the statement and run it in psql. Then I had in log something like this:
2016-10-13 09:38:17 DEBUG otopi.context context._executeMethod:128 Stage setup METHOD otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**_dwh.core.misc.Plugin._setup
2016-10-13 09:38:17 DEBUG otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**_dwh.core.misc misc._setup:65 dwh version: ovirt-**FILTERED**-dwh-4.0.2 (4.0.2)
2016-10-13 09:38:17 DEBUG otopi.context context.dumpEnvironment:760 ENVIRONMENT DUMP - BEGIN
2016-10-13 09:38:17 DEBUG otopi.context context.dumpEnvironment:770 ENV OVESETUP_CORE/setupAttributesModules=list:'[<module 'ovirt_**FILTERED**_setup.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/constants.pyc'>, <module 'ovirt_**FILTERED**_setup.**FILTERED**.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/**FILTERED**/constants.pyc'>, <module 'ovirt_**FILTERED**_setup.**FILTERED**_common.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/**FILTERED**_common/constants.pyc'>, <module 'ovirt_**FILTERED**_setup.dwh.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/dwh/constants.pyc'>]'


Closing this as WONTFIX because the logs can see only root is not a solution. Why then are the passwords filtered at all?

Version-Release number of selected component (if applicable):
otopi-1.5.2-1.el7ev.noarch

Actual results: all occurrence of the string is substituted

Expected results: engine-setup doesn't allow passwords that can match some words
Comment 1 Yedidyah Bar David 2016-10-13 10:36:57 UTC 
(In reply to Lucie Leistnerova from comment #0)
> Actual results: all occurrence of the string is substituted
> 
> Expected results: engine-setup doesn't allow passwords that can match some
> words

1. These two are not contradicting. You can, if you wish, require both "Only occurrences of passwords as such should be substituted" and your current expected results. Already discussed in the linked bug 1105507.

2. engine-setup currently already emits:
[WARNING] Password is weak: {reason}

Did you get such a warning? If not, that might be a bug.

3. If you did, do you really claim we should forbid such passwords, instead of just warn against them? If so, then I personally disagree - I think we should not police our users, the warning should really be enough.

4. If you are disturbed by this for your own use, and/or want a simple recommendation you can give others, then I suggest this: for real production use, use a real password. For testing/etc., where security is not important, still use something unlikely to appear in the logs. E.g. instead of 'engine', use 'engine123' (and don't use this for other things, such as your hostname :-)).

Bottom line: I suggest to close wontfix. If you disagree, please get PM agreement. Thanks!
Comment 2 Sandro Bonazzola 2016-10-20 06:56:16 UTC 
Closing wontfix according to comment #1 and email discussion.
Comment 3 Lucie Leistnerova 2016-10-25 09:00:31 UTC 
Warning for weak password is shown by engine-setup for the admin password, so that's OK. If you enter credentials for remote databases there is no such warning.
Comment 4 Sandro Bonazzola 2016-10-25 12:58:15 UTC 
(In reply to Lucie Leistnerova from comment #3)
> Warning for weak password is shown by engine-setup for the admin password,
> so that's OK. If you enter credentials for remote databases there is no such
> warning.

Dropping the suggestion to use engine as password in this case
Comment 5 Yedidyah Bar David 2016-10-25 13:01:36 UTC 
(In reply to Sandro Bonazzola from comment #4)
> (In reply to Lucie Leistnerova from comment #3)
> > Warning for weak password is shown by engine-setup for the admin password,
> > so that's OK. If you enter credentials for remote databases there is no such
> > warning.
> 
> Dropping the suggestion to use engine as password in this case

Changing summary line accordingly.
Comment 6 Lucie Leistnerova 2016-12-05 12:41:53 UTC 
text in engine-setup for remote DB is OK

verified in ovirt-engine-4.1.0-0.2.master.20161204231323.gite9669ad.el7.centos.noarch