Bug 1417652

Summary: The Java command line for Hawkular carries passwords when displaying process (ps)
Product: OpenShift Container Platform Reporter: Jason Meyer <jmeyer>
Component: HawkularAssignee: Matt Wringe <mwringe>
Status: CLOSED ERRATA QA Contact: Peng Li <penli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: aos-bugs, jialiu, jokerman, lmeyer, mmccomas, mwringe, tdawson
Target Milestone: ---   
Target Release: 3.2.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The password for Hawkular Metrics was being set via a property Consequence: The password could be leaked via the ps command Fix: The password is now passed via a property file Result: The password is no longer leaked when using the ps command
 Story Points: ---
Clone Of:
: 1420898 1424137 1427325 (view as bug list) Environment:
Last Closed: 2017-03-15 20:01:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420898, 1424137, 1427325, 1427544    

Description Jason Meyer 2017-01-30 14:26:02 UTC 
Description of problem:

The Java command line for Hawkular carries three passwords and they show up in the process tree on the host.


How reproducible:

Always


Steps to Reproduce:

-----
# oc get pods -o wide
NAME                         READY     STATUS      RESTARTS   AGE       NODE
hawkular-cassandra-1-wgahg   1/1       Running     0          1d        ose3-node2.labs.osecloud.com
hawkular-metrics-i2ney       1/1       Running     0          1d        ose3-node4.labs.osecloud.com
heapster-n0tcs               1/1       Running     7          1d        ose3-node2.labs.osecloud.com
metrics-deployer-i3hrc       0/1       Completed   0          1d        ose3-node1.labs.osecloud.com

Both heapster and hawkular command lines have passwords in them. In the output below, I inserted PASSWORD where the password string is present:

# for i in ose3-node2.labs.osecloud.com ose3-node4.labs.osecloud.com; do echo '#######'$i'#######' ;ssh $i "ps aux|grep hawkular"; done
#######ose3-node2.labs.osecloud.com#######
1000020+  23277 26.6  2.4 1328672 194912 ?      Ssl  Jan17 436:54 heapster --source=kubernetes:https://kubernetes.default.svc:443?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250 --sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=hawkular&pass=PASSWORD&filter=label(container_name:^/system.slice.*|^/user.slice) --logtostderr=true --tls_cert=/secrets/heapster.cert --tls_key=/secrets/heapster.key --tls_client_ca=/secrets/heapster.client-ca --allowed_users=system:master-proxy
root      40598  0.0  0.0 113120  1576 ?        Ss   19:53   0:00 bash -c ps aux|grep hawkular
root      40604  0.0  0.0 112652   944 ?        S    19:53   0:00 grep hawkular
#######ose3-node4.labs.osecloud.com#######
1000020+  29797  0.0  0.0  11736  1620 ?        Ss   Jan17   0:00 /bin/sh /opt/eap/bin/standalone.sh -Djavax.net.ssl.keyStore=/opt/hawkular/auth/hawkular-metrics.keystore -Djavax.net.ssl.keyStorePassword=PASSWORD -Djavax.net.ssl.trustStore=/opt/hawkular/auth/hawkular-metrics.truststore -Djavax.net.ssl.trustStorePassword=PASSWORD -b 0.0.0.0 -Dhawkular-metrics.cassandra-nodes=hawkular-cassandra -Dhawkular-metrics.cassandra-use-ssl -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true -Dhawkular-metrics.openshift.auth-methods=openshift-oauth,htpasswd -Dhawkular-metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file -Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization -Dhawkular.metrics.default-ttl=7 -DKUBERNETES_MASTER_URL=https://kubernetes.default.svc:443
1000020+  30003 11.9 18.3 5221040 1471780 ?     Sl   Jan17 196:27 /usr/lib/jvm/java-1.8.0/bin/java -D[Standalone] -server -XX:+UseCompressedOops -verbose:gc -Xloggc:/opt/eap/standalone/log/gc.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.logmanager -Djava.awt.headless=true -Djboss.modules.policy-permissions=true -Xbootclasspath/p:/opt/eap/jboss-modules.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-1.5.4.Final-redhat-1.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/javax.json-1.0.4.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/jboss-logmanager-ext-1.0.0.Alpha2-redhat-1.jar -Djava.util.logging.manager=org.jboss.logmanager.LogManager -javaagent:/opt/eap/jolokia.jar=port=8778,protocol=https,caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,clientPrincipal=cn=system:master-proxy,useSslClientAuthentication=true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false -Djava.security.egd=file:/dev/./urandom -Dorg.jboss.boot.log.file=/opt/eap/standalone/log/server.log -Dlogging.configuration=file:/opt/eap/standalone/configuration/logging.properties -jar /opt/eap/jboss-modules.jar -mp /opt/eap/modules -jaxpmodule javax.xml.jaxp-provider org.jboss.as.standalone -Djboss.home.dir=/opt/eap -Djboss.server.base.dir=/opt/eap/standalone -Djavax.net.ssl.keyStore=/opt/hawkular/auth/hawkular-metrics.keystore -Djavax.net.ssl.keyStorePassword=PASSWORD -iVvHi -Djavax.net.ssl.trustStore=/opt/hawkular/auth/hawkular-metrics.truststore -Djavax.net.ssl.trustStorePassword=PASSWORD -b 0.0.0.0 -Dhawkular-metrics.cassandra-nodes=hawkular-cassandra -Dhawkular-metrics.cassandra-use-ssl -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true -Dhawkular-metrics.openshift.auth-methods=openshift-oauth,htpasswd -Dhawkular-metrics.openshift.htpasswd-file=/secrets/hawkular-metrics.htpasswd.file -Dhawkular.metrics.allowed-cors-access-control-allow-headers=authorization -Dhawkular.metrics.default-ttl=7 -DKUBERNETES_MASTER_URL=https://kubernetes.default.svc:443


Actual results:

Shows password value when doing a 'ps' on the host for hawkular.  

Expected results:

Passwords should not be shown.

Additional info:

This issue is considered high priority by the security team and can delay certification of the solution.
Comment 4 Troy Dawson 2017-02-21 15:39:02 UTC 
This should be fixed with image
  openshift3/metrics-hawkular-metrics:3.2.1-5
or newer.  This image should be in all regular testing areas.
Attaching bug to errata.
Comment 7 Troy Dawson 2017-02-23 21:56:31 UTC 
I'm very sorry.  The images were built but were not pushed to the testing areas (registry.ops).
They have been pushed, and I have verified that they are there now.

# docker pull registry.ops.openshift.com/openshift3/metrics-hawkular-metrics:3.2.1-5
Trying to pull repository registry.ops.openshift.com/openshift3/metrics-hawkular-metrics ... 
3.2.1-5: Pulling from registry.ops.openshift.com/openshift3/metrics-hawkular-metrics
16dc1f96e3a1: Pull complete 
76b9d5ce5acf: Pull complete 
70ddd7f1aa5d: Pull complete 
1a1ee89807ee: Pull complete 
dc3400ea51ae: Pull complete 
cfe89ab783b9: Extracting 355.3 MB/355.3 MB
failed to register layer: ApplyLayer exit status 1 stdout:  stderr: open /usr/share/bash-completion/completions/semanage: input/output error
Comment 14 errata-xmlrpc 2017-03-15 20:01:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0512