Bug 1540261
Summary: | metrics host deployment playbooks logs private key | ||
---|---|---|---|
Product: | [oVirt] ovirt-engine-metrics | Reporter: | Lukas Svaty <lsvaty> |
Component: | Generic | Assignee: | Shirly Radco <sradco> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Lukas Svaty <lsvaty> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | bugs, didi, lsvaty |
Target Milestone: | ovirt-4.2.2 | Flags: | rule-engine:
ovirt-4.2+
|
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine-metrics-1.1.3-1.el7ev | Doc Type: | Bug Fix |
Doc Text: |
Cause:
The private key was readable in the metrics host deployment playbooks logs.
Consequence:
Security issue.
Fix:
Added ansible parameter that does not write the key in the log.
Result:
Now private key is not saved to the log.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-29 11:01:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Metrics | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1540260 | ||
Bug Blocks: | 1475135 |
Description
Lukas Svaty
2018-01-30 16:09:57 UTC
ovirt-engine-metrics-1.1.2.2-1.el7ev.noarch Didi, Can you please take a look? You can add 'no_log' to tasks that handle such stuff. In current case, something like: - name: Read fluentd elasticsearch client key set_fact: fluentd_elasticsearch_client_key: "{{ lookup('file', local_fluentd_elasticsearch_client_key_path) }}" no_log: true when: - fluentd_output_plugin == fluentd_output_plugin_elasticsearch - local_fluentd_elasticsearch_client_key_path_exists.stat.exists But please verify, because this option is module-specific. Also, It's about time we protect log directories. Now filed bug 1540622 and bug 1540627. But we should also solve current - users might share logs for debugging, etc. BTW, I could not find a reproduction of this bug in jenkins' routine jobs, including OST basic suite, e.g. [1][2]. You might want to patch OST accordingly. [1] http://jenkins.ovirt.org/job/ovirt-master_change-queue-tester/ [2] http://jenkins.ovirt.org/job/ovirt-master_change-queue-tester/5172/artifact/exported-artifacts/basic-suit-master-el7/test_logs/basic-suite-master/post-099_aaa-ldap.py/lago-basic-suite-master-engine/_var_log/ovirt-engine/ansible/standalone-20180131063210-ovirt-metrics-deployment.log # grep KEY /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log OK [root@1-2-3-8 ovirt-engine-metrics]# grep CERTIFICATE /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log "fluentd_elasticsearch_ca_cert": "-----BEGIN CERTIFICATE-----\n ...omitted output ... -----END CERTIFICATE-----" "fluentd_elasticsearch_client_cert": "-----BEGIN CERTIFICATE-----\n ... omitted output ... \n-----END CERTIFICATE-----" FailedQA Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. (In reply to Lukas Svaty from comment #5) > # grep KEY > /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1. > 2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log > > OK Good > > [root@1-2-3-8 ovirt-engine-metrics]# grep CERTIFICATE > /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1. > 2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log > "fluentd_elasticsearch_ca_cert": "-----BEGIN CERTIFICATE-----\n > ...omitted output ... > -----END CERTIFICATE-----" > "fluentd_elasticsearch_client_cert": "-----BEGIN CERTIFICATE-----\n > ... omitted output ... > \n-----END CERTIFICATE-----" > > FailedQA Why? This bug is about private keys, not about certificates. Any reason to hide latter? I would prefer if the log would be cleansed of private information, that people won't share in Bugzilla in their bug reports in one bug so we wont have in docs in 2 releases that we are removing confidential data in logs. However, if you believe it would be easier for your side to have a 2nd bug I don't mind, creating it. Regarding the CERTIFICATE, I believe it shouldn't be a security issue as its only the certificate of the elasticsearch, but I would still rather have no certificates in logs, than just the 'safe' ones. after discussion with DEV, moving to VERIFIED based on PRIVATE KEY part which is not shown in logs. leaving the CERTIFICATES available in logs, should not be any security risk without mentioned PRIVATE KEYS This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |