Bug 1630535
Summary: | admin password is added to yum repo config | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Stephen Wadeley <swadeley> |
Component: | Repositories | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | Unspecified | CC: | bkearney, hakon.gislason, iballou, jalviso |
Target Milestone: | Unspecified | Keywords: | EasyFix, PrioBumpGSS, PrioBumpPM, Triaged, UserExperience |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-01 14:57:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Wadeley
2018-09-18 21:09:17 UTC
Hello One workaround to these problems of your admin password being added in the web UI where it is not wanted is to use Private Browsing mode. Thank you I would like to add a comment here, since I don't feel the urgency has been conveyed properly from my Red Hat support case. If you want to see the screenshots, they are in case #02262021. Here is the original case, created Nov 27 2018: ==================================== What problem/issue/behavior are you having trouble with? What do you expect to see? When discovering repositories with Satellite, the "upstreamUsername" and "upstreamPassword" fields are loaded but not visible (set to ng-hide). [screenshot-1.png] Google Chrome auto-fills these fields if the user has saved login information for the Satellite web interface, even when hidden. [screenshot-3.png] [screenshot-4.png] After selecting the repos to sync/mirror, the username and password is saved as the upstream credentials. [screenshot-5.png] This results in the username and password for the user being sent to the 3rd party servers, which will probably in all cases be administrative credentials to Satellite and/or active directory credentials and usually plaintext HTTP, unless the user specifically specifies HTTPS for the repository. I have tested and verified this in Satellte 6.3 and 6.4 using tcpdump and Wireshark. [screenshot-6.png] The solution to this (at least for Google Chrome) would be adding the 'autocomplete="new-password"' attribute to the username & password fields. See: https://bugs.chromium.org/p/chromium/issues/detail?id=468153 And: https://caniuse.com/#search=autocomplete Where are you experiencing the behavior? What environment? Red Hat Satellite 6.4 and 6.3 tested. When does the behavior occur? Frequently? Repeatedly? At certain times? Reliably every time a repo is discovered and created. ==================================== This auto-fill issue is also present on many other pages in Satellite. For example when editing Host Groups. Steps to reproduce that: 1) use Google Chrome, latest version 2) save your username & password for satellite 3) create a new hostgroup (name: test, lifecycle env: any, content view: any, content source: any) 4) save hostgroup 5) chrome should now ask "Save password for xxxxx?" 6) edit the hostgroup again 7) chrome should now try to auto-fill "Compute profile, Puppet Master, Puppet CA, OpenSCAP Capsule" with your saved username The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you. This is no longer a bug as of at least Satellite 6.10. Please reopen this BZ if there is still an issue with passwords being auto-filled where they shouldn't be. |