Bug 1752033
| Summary: | Passwords stored in variables(extra_vars) are visible in clear text in the Appliance evm.log | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Mihir Lele <mlele> | ||||
| Component: | Appliance | Assignee: | Nick LaMuro <nlamuro> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Devidas Gaikwad <dgaikwad> | ||||
| Severity: | high | Docs Contact: | Red Hat CloudForms Documentation <cloudforms-docs> | ||||
| Priority: | high | ||||||
| Version: | 5.10.6 | CC: | abellott, dmetzger, gekis, lufu, nansari, nlamuro, obarenbo, sbulage | ||||
| Target Milestone: | GA | Keywords: | TestOnly, ZStream | ||||
| Target Release: | 5.12.0 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1758665 1767789 (view as bug list) | Environment: | |||||
| Last Closed: | 2020-06-10 12:38:29 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | Bug | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | CFME Core | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1758665, 1767789 | ||||||
| Attachments: |
|
||||||
|
Description
Mihir Lele
2019-09-13 13:44:46 UTC
Created attachment 1614952 [details]
vault password
Vault password should be set as vault credential when design the catalog item. extra_vars are not the place to put sensitive data. This seems like a customer usage error. New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/31f251cae49b8d8c7467adc41a3aa3f22fcd0089 commit 31f251cae49b8d8c7467adc41a3aa3f22fcd0089 Author: Lucy Fu <lufu> AuthorDate: Mon Sep 16 11:40:55 2019 -0400 Commit: Lucy Fu <lufu> CommitDate: Mon Sep 16 11:40:55 2019 -0400 Remove unnecessary log message. https://bugzilla.redhat.com/show_bug.cgi?id=1752033 app/models/miq_event.rb | 1 - 1 file changed, 1 deletion(-) Currently, we have a few PRs up for possibility to avoid logging this data in the `MiqQueue.put` and `MiqQueue#deliver` methods: - https://github.com/ManageIQ/manageiq/pull/19308 - https://github.com/ManageIQ/manageiq-providers-ansible_tower/pull/193 It is a "one or the other" situation currently, so we are determining which is the safest option. The latter PR is preferred, but that is only if we aren't using that data anywhere else or determine we shouldn't ever expose that data. New commit detected on ManageIQ/manageiq-automation_engine/master: https://github.com/ManageIQ/manageiq-automation_engine/commit/4fa2b61f13eab3019a0b9e6c25e9becc592d77c1 commit 4fa2b61f13eab3019a0b9e6c25e9becc592d77c1 Author: Lucy Fu <lufu> AuthorDate: Mon Sep 16 17:23:02 2019 -0400 Commit: Lucy Fu <lufu> CommitDate: Mon Sep 16 17:23:02 2019 -0400 Clean up the password value in logs. https://bugzilla.redhat.com/show_bug.cgi?id=1752033 lib/miq_automation_engine/engine/miq_ae_engine.rb | 4 +- 1 file changed, 2 insertions(+), 2 deletions(-) We ended up going with https://github.com/ManageIQ/manageiq-providers-ansible_tower/pull/193 and that has just been merged. An additional fix was required since I flubbed the first one: https://github.com/ManageIQ/manageiq-providers-ansible_tower/pull/195 |