Bug 1571161

Summary: The word 'engine' is filtered from engine setup log
Product: [oVirt] ovirt-engine Reporter: Mor <mkalfon>
Component: Setup.EngineAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED NOTABUG QA Contact: meital avital <mavital>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.2.2.3CC: bugs, mkalfon, sbonazzo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-24 11:40:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ovirt engine setup log none

Description Mor 2018-04-24 08:37:09 UTC 
Created attachment 1425867 [details]
ovirt engine setup log

Description of problem:
Engine setup replaces certain values from ovirt-engine-setup log with '**FILTERED**' string so that sensitive information, such as passwords or usernames won't appear in clear-text. This is very important for security. However, it also filters the word 'engine' from the log, common word, which is used quite often in the log lines, in a non-credential related lines.

Few examples from the log:
2018-04-23 13:44:57,999+0000 DEBUG otopi.context context._executeMethod:128 
Stage init METHOD otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**.db.pgpass.Plugin._init

2018-04-23 13:46:35,594+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_DB/**FILTERED**VacuumFull=bool:'False'

2018-04-23 13:46:32,653+0000 DEBUG otopi.plugins.otopi.services.systemd plugin.executeRaw:813 execute: ('/usr/bin/systemctl', 'enable', u'ovirt-**FILTERED**-dwhd.service'), executable='None', cwd='None', env=None

2018-04-23 13:46:29,406+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.executeRaw:813 execute: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc'), executable='None', cwd='None', env=None
2018-04-23 13:46:29,522+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.executeRaw:863 execute-result: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc'), rc=0
2018-04-23 13:46:29,524+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.execute:921 execute-output: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc') stdout:
ovirt-**FILTERED**-webadmin-portal-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-dwh-4.2.2.2-1.el7ev.noarch
ovirt-**FILTERED**-tools-backup-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-restapi-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-dbscripts-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-dashboard-1.2.3-1.el7ev.noarch
ovirt-**FILTERED**-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-backend-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-tools-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-extension-aaa-jdbc-1.1.7-1.el7ev.noarch

2018-04-23 13:46:35,574+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**DbBackupDir=str:'/var/lib/ovirt-**FILTERED**/backups'
2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**HeapMax=str:'4g'
2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**HeapMin=str:'4g'
2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**ServiceStopNeeded=bool:'True'

'engine' is also a username in the database, for that reason we probably added it to the filtered words list. 

My suggestion is to apply a specific filter only on username related lines in the log, or change the default engine DB username to be uncommon word (if possible), or even remove the word from the filter list.

Version-Release number of selected component (if applicable):
RHV 4.2.3.2-0.1.el7

How reproducible:
100%

Steps to Reproduce:
1. Run engine-setup.

Actual results:
Engine-setup filters the word 'engine' from engine-setup log.

Expected results:
Described above.

Additional info:
Comment 1 Sandro Bonazzola 2018-04-24 11:32:04 UTC 
Are you sure you didn't set engine as password?
I can't reproduce this. See http://jenkins.ovirt.org/view/oVirt%20system%20tests/job/ovirt-system-tests_he-basic-ansible-suite-4.2/131/artifact/exported-artifacts/test_logs/he-basic-ansible-suite-4.2/post-004_basic_sanity.py/lago-he-basic-ansible-suite-4-2-engine/_var_log/ovirt-engine/setup/ovirt-engine-setup-20180424033212-yigjyh.log/*view*/ as example log.

If you used engine as password, this is expected behavior. You shouldn't use such weak passwords.
Comment 2 Mor 2018-04-24 11:36:04 UTC 
No, we didn't used 'engine' as password for admin.
Comment 3 Sandro Bonazzola 2018-04-24 11:40:48 UTC 
ENV OVESETUP_PKI/storePassword=str:'**FILTERED**'

Looks like you set password to engine here.
Closing as not a bug.
Comment 4 Mor 2018-04-24 11:48:57 UTC 
For what user did we set the password as 'engine'? I'm logging in into UI using admin with password different than 'engine'.
Comment 5 Sandro Bonazzola 2018-04-24 12:03:27 UTC 
(In reply to Mor from comment #4)
> For what user did we set the password as 'engine'? I'm logging in into UI
> using admin with password different than 'engine'.

It's the password for the Certificate Authority / PKCS12 / PKI.