Bug 1385044

Summary: [RFE] Obfuscate the password fields in the properties file for AAA config
Product: Red Hat Enterprise Virtualization Manager Reporter: Anitha Udgiri <audgiri>
Component: ovirt-engine-extension-aaa-ldapAssignee: Martin Perina <mperina>
Status: CLOSED NOTABUG QA Contact: Ondra Machacek <omachace>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: audgiri, bazulay, dwoodruf, gklein, lsurette, mperina, oourfali, Rhev-m-bugs, tmichett, ykaul
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-06 16:32:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Anitha Udgiri 2016-10-14 15:46:27 UTC 
Description of problem:

A couple of customers have requested for the password in the properties file to be obfuscated.
Comment 1 Martin Perina 2016-10-18 11:38:30 UTC 
Password of a user to authenticate against LDAP server should be stored in /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties file, which should be owned by ovirt user and ovirt group with 600 (or 640 depending on customer needs) mode. So how exactly obfuscation will make password stored more securely? Without using a salt, there's no additional security in obfuscation and if we would like to use salt, we would need to store it in another file with read/write permissions for ovirt user only.

Also if customer don't want to use a password to authenticate against LDAP, he can use kerberos for that as described in BZ1322940
Comment 2 Anitha Udgiri 2016-10-20 20:33:53 UTC 
(In reply to Martin Perina from comment #1)
> Password of a user to authenticate against LDAP server should be stored in
> /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties file, which should be owned
> by ovirt user and ovirt group with 600 (or 640 depending on customer needs)
> mode. So how exactly obfuscation will make password stored more securely?
> Without using a salt, there's no additional security in obfuscation and if
> we would like to use salt, we would need to store it in another file with
> read/write permissions for ovirt user only.
> 
> Also if customer don't want to use a password to authenticate against LDAP,
> he can use kerberos for that as described in BZ1322940

Martin,
     yes, agree with you. I raised this BZ just to ensure that we have this as reference for any future references for similar requests from Customers.
Comment 3 Martin Perina 2016-10-24 15:16:06 UTC 
Based on comments above