Bug 1481586

Summary: engine-setup ovn plugin outputs to the user a plaintext password on failure
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: Setup.EngineAssignee: Marcin Mirecki <mmirecki>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: medium Docs Contact:
Priority: low    
Version: 4.2.0CC: bugs, danken, lleistne
Target Milestone: ovirt-4.2.0Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 11:04:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2017-08-15 06:35:45 UTC 
Description of problem:

On the flow described in bug 1481583, we further output:

The following commands failed to execute.
Please execute them manually as root:
   keytool -import -alias ovirt-provider-ovn -keystore /var/lib/ovirt-engine/external_truststore -file /etc/pki/ovirt-engine/ca.pem -noprompt -storepass changeit

We should instead output something like this:

   . /usr/share/ovirt-engine/bin/engine-prolog.sh
   keytool -import -alias ovirt-provider-ovn -keystore /var/lib/ovirt-engine/external_truststore -file /etc/pki/ovirt-engine/ca.pem -noprompt -storepass "${ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD}"

So that someone looking behind the shoulder of the user, or seeing a copy/pasted
output posted somewhere for debugging etc., will not see the password.

This is not currently a security risk, because this file does not keep
secrets. This might change in future versions.
Comment 1 Lucie Leistnerova 2017-12-08 12:17:35 UTC 
when import to trustore fails, engine-setup prints 
... -storepass "${ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD}

verified in ovirt-engine-setup-4.2.0-0.6.el7.noarch
Comment 2 Sandro Bonazzola 2017-12-20 11:04:36 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.