Bug 1571117

Summary: HE-VM appliance and admin password saved in the setup log file as clear text executing from cockpit
Product: [oVirt] cockpit-ovirt Reporter: Yihui Zhao <yzhao>
Component: Hosted EngineAssignee: Phillip Bailey <phbailey>
Status: CLOSED CURRENTRELEASE QA Contact: Yihui Zhao <yzhao>
Severity: high Docs Contact:
Priority: urgent    
Version: 0.11.20CC: bugs, cshao, dmoppert, huzhao, jiaczhan, phbailey, qiyuan, sbonazzo, stirabos, weiwang, yaniwang, ycui, yturgema, yzhao
Target Milestone: ovirt-4.2.3Keywords: Security
Target Release: ---Flags: rule-engine: ovirt-4.2+
rule-engine: blocker+
cshao: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cockpit-ovirt-0.11.24-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-10 06:29:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
bootstrap_local_vm_log none

Description Yihui Zhao 2018-04-24 06:56:02 UTC 
Description of problem:
HE-VM appliance and admin  password saved in the setup log file as clear text.
"""

2018-04-23 17:24:51,796+0800 DEBUG var changed: host "localhost" var "hostvars" type "<class 'ansible.vars.hostvars.HostVars'>" value: "{u'localhost': {u'VM_IP_PREFIX': None, u'BRIDGE': u'ovirtmgmt', 'ansible_playbook_python': '/usr/bin/python2', u'NIC_UUID': None, u'BRIDGE_IF': u'eno1', u'HOST_IP': u'10.73.73.105', u'TIME_ZONE': u'Asia/Harbin', u'VCPUS': 4, u'CLOUD_INIT_DOMAIN_NAME': u'lab.eng.pek2.redhat.com', u'LOCAL_VM_DIR_PATH': u'/var/tmp', 'ansible_forks': 5, 'ansible_facts': {}, u'CPU_SOCKETS': 1, u'LOCAL_VM_DIR_PREFIX': u'localvm', 'inventory_hostname': u'localhost', 'ansible_skip_tags': [], u'EMULATED_MACHINE': None, 'playbook_dir': u'/usr/share/ovirt-hosted-engine-setup/ansible', u'FQDN': u'rhevh-hostedengine-vm-04.lab.eng.pek2.redhat.com', u'VM_IP_ADDR': None, u'HOST_NAME': u'hp-dl388g9-04.lab.eng.pek2.redhat.com', 'group_names': ['ungrouped'], u'CDROM': None, u'ROOT_SSH_ACCESS': u'yes', u'CONSOLE_TYPE': u'vnc', 'ansible_version': {'major': 2, 'full': '2.5.0', 'string': '2.5.0', 'minor': 5, 'revision': 0}, u'VM_MAC_ADDR': u'52:54:00:5e:8e:c7', 'inventory_file': u'localhost,', u'MEM_SIZE': 16348, u'GRAPHICS_DEVICE': u'vnc', u'APPLIANCE_OVA': None, u'APPLIANCE_PASSWORD': u'redhat', u'CONSOLE_UUID': None, u'VM_UUID': u'ed4d039c-eeb1-49be-a083-c59ab319a6ab', u'CPU_TYPE': u'model_Broadwell', 'groups': {'ungrouped': [u'localhost'], 'all': [u'localhost']}, u'ROOT_SSH_PUBKEY': None, u'VM_ETC_HOSTS': True, u'CLOUD_INIT_HOST_NAME': u'rhevh-hostedengine-vm-04', 'ansible_inventory_sources': [u'localhost,'], u'VIDEO_DEVICE': u'vga', 'inventory_hostname_short': u'localhost', 'inventory_dir': u'None', 'omit': '__omit_place_holder__a539486862c26f25f6ed53b2debbe3033bbb6240', 'ansible_diff_mode': False, u'CDROM_UUID': None, u'ENABLE_LIBGFAPI': None, 'ansible_check_mode': False, u'MAXVCPUS': 16, 'ansible_run_tags': [u'all'], u'HOST_ADDRESS': u'hp-dl388g9-04.lab.eng.pek2.redhat.com', u'VM_NAME': u'HostedEngine', u'ADMIN_PASSWORD': u'password'}}"

"""

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.2.2.1-0.20180420.0
cockpit-160-3.el7.x86_64
cockpit-bridge-160-3.el7.x86_64
cockpit-ws-160-3.el7.x86_64
cockpit-storaged-160-3.el7.noarch
cockpit-ovirt-dashboard-0.11.22-1.el7ev.noarch
cockpit-dashboard-160-3.el7.x86_64
cockpit-system-160-3.el7.noarch
ovirt-hosted-engine-setup-2.2.18-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.10-1.el7ev.noarch
rhvm-appliance-4.2-20180420.0.el7.noarch


How reproducible:
100%


Steps to Reproduce:
1. Clean install redhat-virtualization-host-4.2.2.1-0.20180420.0 with ks
2. Deploy HE via cockpit
3. Check the  setup log file

Actual results:
After step3, HE-VM appliance and admin  password saved in the setup log file as clear text.

Expected results:
After step3, HE-VM appliance and admin  password didn't save in the setup log file as clear text.


Additional info:
Comment 1 Ido Rosenzwig 2018-04-24 08:18:51 UTC 
please attach the full log
Comment 2 Yihui Zhao 2018-04-24 08:32:46 UTC 
Created attachment 1425866 [details]
bootstrap_local_vm_log
Comment 3 Yihui Zhao 2018-04-24 08:34:24 UTC 
(In reply to Ido Rosenzwig from comment #1)
> please attach the full log

https://bugzilla.redhat.com/attachment.cgi?id=1425866
Comment 4 Yaniv Kaul 2018-04-25 07:16:59 UTC 
How is this not a blocker?
Comment 5 Yihui Zhao 2018-04-25 09:21:54 UTC 
(In reply to Yaniv Kaul from comment #4)
> How is this not a blocker?

I think it don't affect the use.
Comment 8 Simone Tiraboschi 2018-04-26 07:37:25 UTC 
It's cockpit wizard specific now, 
we have to do something like this:
https://github.com/oVirt/ovirt-hosted-engine-setup/blob/master/src/ovirt_hosted_engine_setup/ansible_utils.py#L42

also on cockpit side.

Currently we cannot do much better just on playbook side as for https://bugzilla.redhat.com/show_bug.cgi?id=1540225
Comment 9 Yihui Zhao 2018-05-07 02:08:09 UTC 
Tested with cockpit-ovirt-0.11.24-1 on RHEL-7.5-20180322, It works as expected.


From the log:

"""
2018-05-04 11:51:35,234+0800 DEBUG var changed: host "localhost" var "hostvars" type "<class 'ansible.vars.hostvars.HostVars'>" value: "{u'localhost': {u'VM_IP_PREFIX': None, u'BRIDGE': u'ovirtmgmt', 'ansible_playbook_python': '/usr/bin/python2', u'NIC_UUID': None, u'BRIDGE_IF': u'eno1', u'HOST_IP': u'10.73.73.19', u'TIME_ZONE': u'Asia/Shanghai', u'VCPUS': 4, u'CLOUD_INIT_DOMAIN_NAME': u'lab.eng.pek2.**FILTERED**.com', u'he_filtered_tokens_re': [u'BEGIN PRIVATE KEY**FILTERED**END PRIVATE KEY'], u'LOCAL_VM_DIR_PATH': u'/var/tmp', 'ansible_forks': 5, 'ansible_facts': {}, u'CPU_SOCKETS': 1, u'LOCAL_VM_DIR_PREFIX': u'localvm', 'inventory_hostname': u'localhost', 'ansible_skip_tags': [], u'EMULATED_MACHINE': None, 'playbook_dir': u'/usr/share/ovirt-hosted-engine-setup/ansible', u'FQDN': u'rhevh-hostedengine-vm-04.lab.eng.pek2.**FILTERED**.com', u'VM_IP_ADDR': None, u'HOST_NAME': u'dell-per515-02.lab.eng.pek2.**FILTERED**.com', 'group_names': ['ungrouped'], u'CDROM': None, u'ROOT_SSH_ACCESS': u'yes', u'CONSOLE_TYPE': u'vnc', 'ansible_version': {'major': 2, 'full': '2.5.2', 'string': '2.5.2', 'minor': 5, 'revision': 2}, u'VM_MAC_ADDR': u'52:54:00:5e:8e:c7', 'inventory_file': u'localhost,', u'MEM_SIZE': 16348, u'GRAPHICS_DEVICE': u'vnc', u'he_filtered_tokens_vars': [u'ADMIN_PASSWORD', u'APPLIANCE_PASSWORD', u'ISCSI_PASSWORD', u'ISCSI_DISCOVER_PASSWORD', u'ROOTPWD'], u'APPLIANCE_OVA': None, u'APPLIANCE_PASSWORD': u'**FILTERED**', u'CONSOLE_UUID': None, u'VM_UUID': u'62b13066-0b11-422f-aba2-dfb5b87108b4', u'CPU_TYPE': u'model_Opteron_G5', 'groups': {'ungrouped': [u'localhost'], 'all': [u'localhost']}, u'ROOT_SSH_PUBKEY': None, u'VM_ETC_HOSTS': True, u'CLOUD_INIT_HOST_NAME': u'rhevh-hostedengine-vm-04', 'ansible_inventory_sources': [u'localhost,'], u'ENABLE_HC_GLUSTER_SERVICE': False, u'VIDEO_DEVICE': u'vga', 'inventory_hostname_short': u'localhost', 'inventory_dir': u'None', 'omit': '__omit_place_holder__95fcc81a0c914dd9d69b4d1b6fc3d7ff2f7983ca', 'ansible_diff_mode': False, u'CDROM_UUID': None, u'ENABLE_LIBGFAPI': None, 'ansible_check_mode': False, u'MAXVCPUS': 16, 'ansible_run_tags': [u'all'], u'HOST_ADDRESS': u'dell-per515-02.lab.eng.pek2.**FILTERED**.com', u'VM_NAME': u'HostedEngine', u'ADMIN_PASSWORD': u'**FILTERED**'}}"
"""

The appliance and admin password is set as  "**FILTERED**".

So, moving to verified.
Comment 10 Sandro Bonazzola 2018-05-10 06:29:25 UTC 
This bugzilla is included in oVirt 4.2.3 release, published on May 4th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.