Bug 1512977

Summary: [Regression] Evm.log contains passwords
Product: Red Hat CloudForms Management Engine Reporter: Hayk Hovsepyan <hhovsepy>
Component: SecurityAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hrazdil <rhrazdil>
Severity: urgent Docs Contact:
Priority: high    
Version: 5.9.0CC: cpelland, dajohnso, jhardy, jprause, jrafanie, obarenbo, rhrazdil
Target Milestone: GAKeywords: Regression, TestOnly
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1513620 1515474 (view as bug list) Environment:
Last Closed: 2019-02-11 13:53:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: RHEVM Target Upstream Version:
Embargoed:
Bug Depends On: 1513620    
Bug Blocks: 1515474    

Description Hayk Hovsepyan 2017-11-14 14:32:40 UTC 
Description of problem:
Added RHEVM Infrastructure provider, there is some error in fetching data from it.
Checking evm.log file, I can see my RHEVM provider's password logged as open text.


Version-Release number of selected component (if applicable):
5.9.0.8.20171109215303_ed87902

How reproducible:
When there is some ERROR in fetching data from RHEVM provider.
Comment 2 Hayk Hovsepyan 2017-11-14 17:09:01 UTC 
Error is logged when RHEVM connection has timeouts:

[----] E, [2017-11-14T04:29:44.020407 #6232:119313c] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::FuturesCollector#wait_on_all_futures_ignoring_results) failed waiting on #<ManageIQ::Providers::Redhat::InfraManager::FuturesCollector::KeyedValue:0x0000000bf5dbf0 @key="vm_985c787c-1cc5-4e7b-9cb4-390243021336_disk_attachments", @value=#<OvirtSDK4::Future:0x0000000bf5dd58 @service=#<OvirtSDK4::DiskAttachmentsService:0x0000000bf5f658 @parent=#<OvirtSDK4::VmService:0x0000000bf5f7c0 @parent=#<OvirtSDK4::VmsService:0x00000003b1e4e8 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 @parent=#<OvirtSDK4::Connection:0x0000000baaa220 @url="MY_URL", @username="MY_USERNAME", @password="MY_PASSWORD", @token="jdkdS4QnGIQ6IDOLqQHJNHuPJqbNXQ57YMc7DZMMXvCpolYN6yptI-sU59apiwsSC_8iMkmj9VmIo-Reu32Tdg", @insecure=true, @ca_file=nil, @ca_certs=nil, @debug=false, @log=#<Vmdb::Loggers::MulticastLogger:0x000000029579a8 @loggers=#<Set: {#<VMDBLogger:0x00000002957c50 @progname=nil, @level=1, @default_formatter=#<Logger::Formatter:0x00000002957bd8 @datetime_format=nil>, @formatter=#<VMDBLogger::Formatter:0x00000002957a98 @datetime_format=nil>, @logdev=#<Logger::LogDevice:0x00000002957b60 @shift_size=1048576, @shift_age=0, @filename=#<Pathname:/var/www/miq/vmdb/log/rhevm.log>, @dev=#<File:/var/www/miq/vmdb/log/rhevm.log>, @mon_owner=nil, @mon_count=0, @mon_mutex=#<Thread::Mutex:0x00000002957b38>>, @write_lock=#<Thread::Mutex:0x00000002957a70>, @local_levels={}, @thread_hash_level_key=:"ThreadSafeLogger#21675560@level">}>, @level=1, @thread_hash_level_key=:"ThreadSafeLogger#21675220@level">, @kerberos=false, @timeout=3600, @compress=true, @proxy_url=nil, @proxy_username=nil, @proxy_password=nil, @headers=nil, @connections=0, @pipeline=0, @ca_store=nil, @mutex=#<Thread::Mutex:0x0000000baaa158>, @client=#<OvirtSDK4::HttpClient:0x0000000baa9f28>, @system_service=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>>, @path="", @clusters_service=#<OvirtSDK4::ClustersService:0x00000003b10f50 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="clusters">, @storage_domains_service=#<OvirtSDK4::StorageDomainsService:0x00000003b15118 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="storagedomains">, @hosts_service=#<OvirtSDK4::HostsService:0x00000003b19b00 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="hosts">, @vms_service=#<OvirtSDK4::VmsService:0x00000003b1e4e8 ...>, @templates_service=#<OvirtSDK4::TemplatesService:0x00000003b20d60 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="templates">, @networks_service=#<OvirtSDK4::NetworksService:0x00000003b2bd00 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="networks">, @data_centers_service=#<OvirtSDK4::DataCentersService:0x00000003b28ee8 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="datacenters">, @disks_service=#<OvirtSDK4::DisksService:0x00000003b31908 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="disks">>, @path="vms">, @path="985c787c-1cc5-4e7b-9cb4-390243021336", @disk_attachments_service=#<OvirtSDK4::DiskAttachmentsService:0x0000000bf5f658 ...>>, @path="diskattachments">, @request=#<OvirtSDK4::HttpRequest:0x0000000bf5f4c8>, @block=#<Proc:0x0000000bf5dc90@/opt/rh/rh-ruby23/root/usr/share/gems/gems/ovirt-engine-sdk-4.1.9/lib/ovirtsdk4/service.rb:149>>>, due to: Can't send request: SSL connect error
Comment 3 Juan Hernández 2017-11-15 17:00:51 UTC 
This problem could be solved avoiding the use of the `inspect` method when writing log messages. But as that seems to be a common practice, we will instead modify the SDK so that the `inspect` and `to_s` methods do not include sensible information like the user name and password in the string that they return.
Comment 5 Radim Hrazdil 2017-12-08 12:38:26 UTC 
Verified that in CFME 5.9.0.11 is version of sdk 4.1.13 [1], where this problem has been fixed.

[1] rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.13-1.el7cf.x86_64