| Summary: | Remove credentials from /etc/imagefactory/ provider.json files | ||
|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | james labocki <jlabocki> |
| Component: | imagefactory | Assignee: | Richard Su <rwsu> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Kočí <mkoci> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.0.0 | CC: | akarol, ansmith, brad, dajohnso, deltacloud-maint, dgao, hbrock, slinaber, ssachdev, whayutin |
| Target Milestone: | beta6 | Keywords: | Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | v2.5.0-16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-15 20:22:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
My understanding is that these passwords are not used and that configure doesn't need to write them. Ian, can you confirm? If configure is writing them, poke Eck to have him fix that. I am not in a position to double-confirm this via actual testing, but re-reading the code I am 99% sure that these username and password fields can be removed from the config files. The account username and password to be used when doing a push are passed in XML as part of the push API call. We don't need the data to be duplicated in /etc. I don't see the rhevm.json and vsphere.json files in the directory /etc/imagefactory now .... Does that fixes the issue , or the location is changed ? [root@dell-per805-01 imagefactory]# ll total 8 -rw-r--r--. 1 root root 751 Feb 27 04:21 imagefactory.conf drwxr-xr-x. 2 root root 4096 Feb 27 04:19 jeos_images rpm -qa|grep aeolus aeolus-conductor-0.8.0-36.el6.noarch rubygem-aeolus-cli-0.3.0-10.el6.noarch aeolus-conductor-daemons-0.8.0-36.el6.noarch aeolus-configure-2.5.0-15.el6.noarch rubygem-aeolus-image-0.3.0-10.el6.noarch aeolus-all-0.8.0-36.el6.noarch aeolus-conductor-doc-0.8.0-36.el6.noarch [root@qeblade30 ~]# cat /etc/imagefactory/rhevm.json
{
"rhevm-default":
{
"username": "admin@internal",
"nfs-dir": "/mnt/rhevm-nfs",
"nfs-path": "/home/blade27_export",
"nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com",
"api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api",
"password": "dog8code",
"cluster": "_any_",
"timeout": 1800
}
}
[root@qeblade30 ~]# rpm -qa | grep factory
imagefactory-jeosconf-ec2-rhel-1.0.0rc7-1.el6.noarch
imagefactory-1.0.0rc7-1.el6.noarch
imagefactory-jeosconf-ec2-fedora-1.0.0rc7-1.el6.noarch
rubygem-imagefactory-console-0.4.0-1.el6.noarch
[root@qeblade30 ~]# rpm -qa | grep conductor
aeolus-conductor-doc-0.8.0-36.el6.noarch
aeolus-conductor-0.8.0-36.el6.noarch
aeolus-conductor-daemons-0.8.0-36.el6.noarch
[root@qeblade30 ~]#
FAILS or not in build
Reassigning to rwsu per a discussion with morazi. Richard, We need the automagic setup of the rhevm.json and vsphere.json files to stop putting passwords in them. The passwords in these files are either ignored or are redundant but are being logged in /var/log/imagefactory.log. Pushed to aeolus-configure commit 2c1404afec54662aa143429c002f982d56374634 after fresh install from brew and run aeolus-configure:
# cat /etc/imagefactory/rhevm.json
{
"rhevm-default":
{
"username": "admin@internal",
"nfs-dir": "/mnt/rhevm-nfs",
"nfs-path": "/home/blade27_export",
"nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com",
"api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api",
"password": "dog8code",
"cluster": "_any_",
"timeout": 1800
}
}
[root@dell-pe1950-03 ~]# rpm -qa | grep "factory\|aeolus-con"
aeolus-conductor-0.8.0-38.el6.noarch
imagefactory-jeosconf-ec2-fedora-1.0.0rc8-1.el6.noarch
rubygem-imagefactory-console-0.4.0-1.el6.noarch
aeolus-conductor-daemons-0.8.0-38.el6.noarch
aeolus-configure-2.5.0-15.el6.noarch
imagefactory-1.0.0rc8-1.el6.noarch
aeolus-conductor-doc-0.8.0-38.el6.noarch
imagefactory-jeosconf-ec2-rhel-1.0.0rc8-1.el6.noarch
again it FAILS or not in build. If it's not in build, please once it is there (in brew) move the bug back to ON_QA (MODIFIED).
Thanks
529d24c in aeolus-configure-2.5.0-16 Passwords are not shown now.
# cat rhevm.json
{
"rhevm-default":
{
"username": "admin@internal",
"nfs-dir": "/mnt/rhevm-nfs",
"nfs-path": "/home/blade27_export",
"nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com",
"api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api",
"cluster": "_any_",
"timeout": 1800
}
}
# cat vsphere.json
{
"vsphere-default":
{
"api-url": "https://10.16.120.136/sdk",
"datastore": "datastore1",
"network_name": "VM Network"
}
}
verified:
rpm -qa | grep aeolus
aeolus-conductor-doc-0.8.0-39.el6.noarch
rubygem-aeolus-image-0.3.0-10.el6.noarch
aeolus-configure-2.5.0-16.el6.noarch
aeolus-conductor-0.8.0-39.el6.noarch
aeolus-conductor-daemons-0.8.0-39.el6.noarch
aeolus-all-0.8.0-39.el6.noarch
rubygem-aeolus-cli-0.3.0-12.el6.noarch
This fails... The username is still in the rhevm.json file Wes and I discussed this and for consistency we will put in the username and password back in vsphere_configure. They are however not used by configure. Sometime in the future we hope to remove credentials all together from the _configure files. This will involve changing how we validate the RHEV nfs-dir. Posted a patch to remove username from rhevm.json and add username and password back in vsphere_configure. https://fedorahosted.org/pipermail/aeolus-devel/2012-March/009373.html https://fedorahosted.org/pipermail/aeolus-devel/2012-March/009374.html Pushed two part patch to aeolus-configure commit bfa5682f5cbc38a70b80a15a79f540801fb89482 commit 415e5b9e2292e67433b07aa45a7912fd0a7c7385 no username/password in json files. VERIFIED on RHEL62 with packages:
#rpm -qa | grep 'aeolus\|imagefactory-\|oz-\|iwhd'
rubygem-aeolus-cli-0.3.0-12.el6.noarch
aeolus-configure-2.5.0-18.el6.noarch
iwhd-1.2-3.el6.x86_64
aeolus-all-0.8.0-41.el6.noarch
aeolus-conductor-doc-0.8.0-41.el6.noarch
imagefactory-1.0.0rc8-1.el6.noarch
aeolus-conductor-daemons-0.8.0-41.el6.noarch
imagefactory-jeosconf-ec2-fedora-1.0.0rc8-1.el6.noarch
rubygem-imagefactory-console-0.4.0-1.el6.noarch
aeolus-conductor-0.8.0-41.el6.noarch
imagefactory-jeosconf-ec2-rhel-1.0.0rc8-1.el6.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
oz-0.8.0-5.el6.noarch
# cat /etc/imagefactory/rhevm.json
{
"rhevm-default":
{
"nfs-dir": "/mnt/rhevm-nfs",
"nfs-path": "/home/blade27_export",
"nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com",
"api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api",
"cluster": "_any_",
"timeout": 1800
}
}
# cat /etc/imagefactory/vsphere.json
{
"vsphere-default":
{
"api-url": "https://vsphere.server.com/sdk",
"datastore": "datastore",
"network_name": "network_name"
}
}
*** Bug 794739 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-0588.html |
Description of problem: In /etc/imagefactory, the following files store passwords in plain text. This is a security risk. [root@cf-ceae2 imagefactory]# cat rhevm.json { "rhevm-rhevm": { "username": "admin@internal", "nfs-dir": "/mnt/rhevm-nfs", "nfs-path": "/pub/ISO_mnt", "nfs-host": "fqdn", "api-url": "https://fqdn:8443/api", "password": "removed", "cluster": "_any_", "timeout": 1800 } } [root@cf-ceae2 imagefactory]# cat vsphere.json { "vsphere-vsphere5": { "api-url": "https://fqdn/sdk", "username": "username", "password": "removed", "datastore": "datastore1", "network_name": "VM Network" } }