Bug 1402541

Summary: Engine password obfuscation is too intrusive
Product: [oVirt] ovirt-engine Reporter: jniederm
Component: BLL.InfraAssignee: Ondra Machacek <omachace>
Status: CLOSED NOTABUG QA Contact: Pavel Stehlik <pstehlik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: bugs, mperina
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-13 09:27:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
configure-engine.yml
none
ansible-output
none
playbook-workaround.yml none

Description jniederm 2016-12-07 18:51:42 UTC 
Created attachment 1229204 [details]
configure-engine.yml

Description of problem:
Engine (or sdk) obfuscates (replaces with series of '*') any password occurrence in response to ansible `ovirt_auth` plugin request in fields `token` and `url` (maybe even in other fields). That leads to broken authentication for following `ovirt_*` ansible plugin calls with misleading error messages.

Version-Release number of selected component (if applicable):
ovirt-engine: 4.1 master, dev build, commit 620c403
ansible: 2.2.0.0
os: fedora 24

How reproducible:
100%

Steps to Reproduce:
1. Create a engine setup with password contained in hostname
   E.g. password: 'a', hostname: 'localhost'; 'localhost' contains 'a'
2. Automate some engine task using `ovirt_auth` and some other `ovirt_*` ansible plugin.

Actual results:
`ansible-playbook` fails with error 'Could not resolve host: loc********lhost'

Expected results:
Ansible playbook works ok.

Additional info:
Attachment contains used ansible playbook and full console output. The configuration was password: 'a' and hostname: 'happybox'. Please notice '*' chars in output of

  - debug:
      var: ovirt_auth

ok: [localhost] => {
    "ovirt_auth": {
        "ca_file": null, 
        "compress": true, 
        "insecure": true, 
        "kerberos": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
        "timeout": 0, 
        "token": "1gV5JQcKFtKTLMk6zz********OR9J-j1m********XENw7XOsk0irGTk5idWWGoRU3P77-M8CikhHcI********MBwCPyVF2uGiblf1PhQ", 
        "url": "https://h********ppybox:8443/ovirt-engine/********pi"
    }
}
Comment 1 jniederm 2016-12-07 18:53:26 UTC 
Created attachment 1229205 [details]
ansible-output
Comment 2 jniederm 2016-12-07 18:59:02 UTC 
Created attachment 1229207 [details]
playbook-workaround.yml

A workaround can be to use direct authentication for each `ovirt_*` plugin call.
Comment 3 Ondra Machacek 2016-12-13 09:27:43 UTC 
This is bug in Ansible, not oVirt. I will handle it.
Comment 4 Ondra Machacek 2016-12-13 09:48:53 UTC 
Issue for Ansible opened here: 

 https://github.com/ansible/ansible/issues/19278