Bug 536105 (RHQ-491)

Summary: group definitions can be used to show password fields from plugin/resource config
Product: [Other] RHQ Project Reporter: Charles Crouch <ccrouch>
Component: Resource GroupingAssignee: Joseph Marques <jmarques>
Status: CLOSED NEXTRELEASE QA Contact: Jeff Weiss <jweiss>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: dajohnso, hbrock, mschoene
Target Milestone: ---Keywords: SubBug
Target Release: ---   
Hardware: All   
OS: All   
URL: http://jira.rhq-project.org/browse/RHQ-491
Whiteboard:
Fixed In Version: 1.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 536002    

Description Charles Crouch 2008-05-15 21:17:00 UTC 
I created a group definition:

resource.type.plugin = JBossAS
resource.type.category = Server
groupby resource.pluginConfiguration[credentials]

and it created a group called:
DynaGroup - groupname ( admin )

where admin is the jmx password used to connect to the JBAS instances. I don't think this credential information is retrievable in plain text from anywhere else in the UI.
Comment 1 Joseph Marques 2008-05-15 23:14:17 UTC 
well, i think you can get it as the admin user from any of the various pages available in the /admin/* web context if you're logged in as an admin

there are two options here:

1) make the group definition creation / dynagroup manip only available to inventory managers, which would granted still allow them to do stupid things...though i question what the value of creating this type of group definition would be  ; )
2) make this illegal by preventing expression that contain properties whose type is password

i'm guessing people are going to vote for option 2, but if so then are we going to somehow lock down the /admin/* pages in the same manner?
Comment 2 Charles Crouch 2008-05-16 15:06:34 UTC 
I think /admin is sufficiently locked down, only "JON admin" users have access which should exclude the vast majority of users. We should investigate encrypting password properties in the DB.
Comment 3 Joseph Marques 2008-12-09 17:56:01 UTC 
rev2260 - suppress private property results in dynagroup calculations;
Comment 4 Jeff Weiss 2009-01-13 13:26:43 UTC 
Verified that no groups are created when using the described definition.  rev2561, windows/oracle
Comment 5 Red Hat Bugzilla 2009-11-10 21:10:25 UTC 
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-491
Comment 6 Marc Schoenefeld 2010-12-27 14:05:45 UTC 
*** Bug 476080 has been marked as a duplicate of this bug. ***