Bug 1540261

Summary: metrics host deployment playbooks logs private key
Product: [oVirt] ovirt-engine-metrics Reporter: Lukas Svaty <lsvaty>
Component: GenericAssignee: Shirly Radco <sradco>
Status: CLOSED CURRENTRELEASE QA Contact: Lukas Svaty <lsvaty>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: bugs, didi, lsvaty
Target Milestone: ovirt-4.2.2Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ovirt-engine-metrics-1.1.3-1.el7ev Doc Type: Bug Fix
Doc Text:
Cause: The private key was readable in the metrics host deployment playbooks logs. Consequence: Security issue. Fix: Added ansible parameter that does not write the key in the log. Result: Now private key is not saved to the log.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-29 11:01:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Metrics RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1540260    
Bug Blocks: 1475135    

Description Lukas Svaty 2018-01-30 16:09:57 UTC 
Description of problem:
PRIVATE KEY should not be logged inside ansible playbooks logs.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Deploy host
2. Check log ovirt-host-deploy-ansible-20180130145841-10.37.137.31-c8783a6a-b17a-4945-8ace-ea69bf0b5564.log | grep -i "private key"
        "fluentd_elasticsearch_client_key": "-----BEGIN PRIVATE KEY-----\n
...ommitted output...
-----END PRIVATE KEY-----"


Actual results:
private key visible in logs

Expected results:
no secret info in logs
Comment 1 Lukas Svaty 2018-01-30 16:10:17 UTC 
ovirt-engine-metrics-1.1.2.2-1.el7ev.noarch
Comment 2 Shirly Radco 2018-01-31 13:17:15 UTC 
Didi, Can you please take a look?
Comment 3 Yedidyah Bar David 2018-01-31 14:39:57 UTC 
You can add 'no_log' to tasks that handle such stuff. In current case, something like:

- name: Read fluentd elasticsearch client key
  set_fact:
    fluentd_elasticsearch_client_key: "{{ lookup('file', local_fluentd_elasticsearch_client_key_path) }}"
  no_log: true
  when:
    - fluentd_output_plugin == fluentd_output_plugin_elasticsearch
    - local_fluentd_elasticsearch_client_key_path_exists.stat.exists

But please verify, because this option is module-specific.

Also, It's about time we protect log directories. Now filed bug 1540622 and bug 1540627. But we should also solve current - users might share logs for debugging, etc.
Comment 4 Yedidyah Bar David 2018-01-31 14:55:31 UTC 
BTW, I could not find a reproduction of this bug in jenkins' routine jobs, including OST basic suite, e.g. [1][2]. You might want to patch OST accordingly.

[1] http://jenkins.ovirt.org/job/ovirt-master_change-queue-tester/
[2] http://jenkins.ovirt.org/job/ovirt-master_change-queue-tester/5172/artifact/exported-artifacts/basic-suit-master-el7/test_logs/basic-suite-master/post-099_aaa-ldap.py/lago-basic-suite-master-engine/_var_log/ovirt-engine/ansible/standalone-20180131063210-ovirt-metrics-deployment.log
Comment 5 Lukas Svaty 2018-03-20 11:29:05 UTC 
# grep KEY /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log

OK

[root@1-2-3-8 ovirt-engine-metrics]# grep CERTIFICATE /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log
        "fluentd_elasticsearch_ca_cert": "-----BEGIN CERTIFICATE-----\n
...omitted output ...
-----END CERTIFICATE-----"
        "fluentd_elasticsearch_client_cert": "-----BEGIN CERTIFICATE-----\n
... omitted output ...
\n-----END CERTIFICATE-----"

FailedQA
Comment 6 Red Hat Bugzilla Rules Engine 2018-03-20 11:29:10 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 7 Yedidyah Bar David 2018-03-20 13:04:31 UTC 
(In reply to Lukas Svaty from comment #5)
> # grep KEY
> /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.
> 2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log
> 
> OK

Good

> 
> [root@1-2-3-8 ovirt-engine-metrics]# grep CERTIFICATE
> /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.
> 2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log
>         "fluentd_elasticsearch_ca_cert": "-----BEGIN CERTIFICATE-----\n
> ...omitted output ...
> -----END CERTIFICATE-----"
>         "fluentd_elasticsearch_client_cert": "-----BEGIN CERTIFICATE-----\n
> ... omitted output ...
> \n-----END CERTIFICATE-----"
> 
> FailedQA

Why?

This bug is about private keys, not about certificates. Any reason to hide latter?
Comment 8 Lukas Svaty 2018-03-20 13:14:27 UTC 
I would prefer if the log would be cleansed of private information, that people won't share in Bugzilla in their bug reports in one bug so we wont have in docs in 2 releases that we are removing confidential data in logs. However, if you believe it would be easier for your side to have a 2nd bug I don't mind, creating it.

Regarding the CERTIFICATE, I believe it shouldn't be a security issue as its only the certificate of the elasticsearch, but I would still rather have no certificates in logs, than just the 'safe' ones.
Comment 9 Lukas Svaty 2018-03-20 13:27:58 UTC 
after discussion with DEV, moving to VERIFIED based on PRIVATE KEY part which is not shown in logs.

leaving the CERTIFICATES available in logs, should not be any security risk without mentioned PRIVATE KEYS
Comment 10 Sandro Bonazzola 2018-03-29 11:01:20 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.