Bug 1017267 - Plaintext user passwords in async_tasks database
Plaintext user passwords in async_tasks database
Status: CLOSED CURRENTRELEASE
Product: oVirt
Classification: Community
Component: ovirt-engine-core (Show other bugs)
3.3
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.3.3
Assigned To: Ravi Nori
bugs@ovirt.org
infra
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-09 10:11 EDT by Alexander Ludas
Modified: 2014-02-14 04:56 EST (History)
7 users (show)

See Also:
Fixed In Version: ovirt-3.3.3-beta1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-14 04:56:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Engine answer file (1.14 KB, text/plain)
2013-10-22 05:16 EDT, Alexander Ludas
no flags Details
Kickstart EL6 (C6.4) (2.26 KB, text/plain)
2013-10-22 05:19 EDT, Alexander Ludas
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 23116 None None None Never

  None (edit)
Description Alexander Ludas 2013-10-09 10:11:36 EDT
Description of problem:
Passwords appear in plaintext in async_tasks database.

When you have database access you can collect passwords from every domain user who runs oVirt tasks.

How reproducible:
Always

Steps to Reproduce:
- Login with ActiveDirectory account
- e.g. export vm
- select action_parameters from async_tasks;

Actual results:
Password appears in plaintext

Expected results:
Password should be filtered or hashed
Comment 1 Eli Mesika 2013-10-14 09:56:11 EDT
I have tried to reproduce the scenario with AD user yair_group_member, I was unable to see any password in the query result as stated in the bug description.

While exporting my VM that had 1 nic and 2 disks 1 with Thin Provisioning and the other pre-allocated both sizes are 1GB , I had run the query :


engine_1017267=> select action_parameters from async_tasks;
                           action_parameters                            
------------------------------------------------------------------------
 {                                                                     +
   "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",  +
   "commandId" : [ "org.ovirt.engine.core.compat.Guid", {              +
     "uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb"                   +
   } ],                                                                +
   "parametersCurrentUser" : {                                         +
     "@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                   +
       "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6"                 +
     } ],                                                              +
     "externalId" : {                                                  +
       "bytes" : "V5RFn+FrQBW8r5pharoGxg=="                            +
     },                                                                +
     "domain" : "qa.lab.tlv.redhat.com",                               +
     "loginName" : "yair_group_member",                                +
     "firstName" : "yair_group_member",                                +
     "lastName" : null,                                                +
     "department" : null,                                              +
     "role" : "",                                                      +
     "email" : null,                                                   +
     "note" : "",                                                      +
     "status" : 1,                                                     +
     "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group",          +
     "groupIds" : "00000000-0000-0000-0000-000000000000",              +
     "admin" : true,                                                   +
     "ldapStatus" : "Active",                                          +
     "group" : false                                                   +
   },                                                                  +
   "compensationEnabled" : false,                                      +
   "parentCommand" : "Unknown",                                        +
   "commandType" : "ExportVm",                                         +
   "multipleAction" : true,                                            +
   "entityInfo" : {                                                    +
     "type" : "VM",                                                    +
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                   +
       "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05"                 +
     } ]                                                               +
   },                                                                  +
   "taskGroupSuccess" : true,                                          +
   "vdsmTaskIds" : null,                                               +
   "executionIndex" : 0,                                               +
   "correlationId" : "79a3c8f9",                                       +
   "jobId" : null,                                                     +
   "stepId" : null,                                                    +
   "vdsId" : null,                                                     +
   "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", {          +
     "uuid" : "00000000-0000-0000-0000-000000000000"                   +
   } ],                                                                +
   "forceDelete" : false,                                              +
   "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", {        +
     "uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073"                   +
   } ],                                                                +
   "isInternal" : false,                                               +
   "quotaId" : null,                                                   +
   "imageToDestinationDomainMap" : null,                               +
   "importAsNewEntity" : false,                                        +
   "containerId" : [ "org.ovirt.engine.core.compat.Guid", {            +
     "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05"                   +
   } ],                                                                +
   "templateMustExists" : true,                                        +
   "forceOverride" : false,                                            +
   "copyCollapse" : false,                                             +
   "sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined",                 +
   "shouldBeLogged" : true,                                            +
   "transactionScopeOption" : "Required",                              +
   "executionReason" : "REGULAR_FLOW"                                  +
 }
 {                                                                     +
   "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",  +
   "commandId" : [ "org.ovirt.engine.core.compat.Guid", {              +
     "uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb"                   +
   } ],                                                                +
   "parametersCurrentUser" : {                                         +
     "@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                   +
       "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6"                 +
     } ],                                                              +
     "externalId" : {                                                  +
       "bytes" : "V5RFn+FrQBW8r5pharoGxg=="                            +
     },                                                                +
     "domain" : "qa.lab.tlv.redhat.com",                               +
     "loginName" : "yair_group_member",                                +
     "firstName" : "yair_group_member",                                +
     "lastName" : null,                                                +
     "department" : null,                                              +
     "role" : "",                                                      +
     "email" : null,                                                   +
     "note" : "",                                                      +
     "status" : 1,                                                     +
     "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group",          +
     "groupIds" : "00000000-0000-0000-0000-000000000000",              +
     "admin" : true,                                                   +
     "ldapStatus" : "Active",                                          +
     "group" : false                                                   +
   },                                                                  +
   "compensationEnabled" : false,                                      +
   "parentCommand" : "Unknown",                                        +
   "commandType" : "ExportVm",                                         +
   "multipleAction" : true,                                            +
   "entityInfo" : {                                                    +
     "type" : "VM",                                                    +
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                   +
       "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05"                 +
     } ]                                                               +
   },                                                                  +
   "taskGroupSuccess" : true,                                          +
   "vdsmTaskIds" : null,                                               +
   "executionIndex" : 0,                                               +
   "correlationId" : "79a3c8f9",                                       +
   "jobId" : null,                                                     +
   "stepId" : null,                                                    +
   "vdsId" : null,                                                     +
   "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", {          +
     "uuid" : "00000000-0000-0000-0000-000000000000"                   +
   } ],                                                                +
   "forceDelete" : false,                                              +
   "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", {        +
     "uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073"                   +
   } ],                                                                +
   "isInternal" : false,                                               +
   "quotaId" : null,                                                   +
   "imageToDestinationDomainMap" : null,                               +
   "importAsNewEntity" : false,                                        +
   "containerId" : [ "org.ovirt.engine.core.compat.Guid", {            +
     "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05"                   +
   } ],                                                                +
   "templateMustExists" : true,                                        +
   "forceOverride" : false,                                            +
   "copyCollapse" : false,                                             +
   "sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined",                 +
   "shouldBeLogged" : true,                                            +
   "transactionScopeOption" : "Required",                              +
   "executionReason" : "REGULAR_FLOW"                                  +
 }
(2 rows)
Comment 2 Alexander Ludas 2013-10-14 14:09:37 EDT
Your output has a lot more attributes than mine.

                          action_parameters                           
----------------------------------------------------------------------
 {                                                                   +
   "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+
   "commandId" : [ "org.ovirt.engine.core.compat.Guid", {            +
     "uuid" : "c8b3e644-238a-443d-b96b-cd3a7b256fd7"                 +
   } ],                                                              +
   "parametersCurrentUser" : {                                       +
     "groupIds" : "",                                                +
     "admin" : true,                                                 +
     "domainControler" : "example.com",                              +
     "userId" : [ "org.ovirt.engine.core.compat.Guid", {             +
       "uuid" : "78a77a90-0a81-4dcd-acf7-06abcbdba1a5"               +
     } ],                                                            +
     "groupNames" : "",                                              +
     "firstName" : "Alexander",                                      +
     "surName" : "Ludas",                                            +
     "fqn" : "aludas@example.com",                                   +
     "userName" : "aludas",                                          +
     "password" : "PLAINTEXTPASSWORD"                                +
   },                                                                +
   "compensationEnabled" : false,                                    +
   "parentCommand" : "Unknown",                                      +
   "commandType" : "ExportVm",                                       +
   "multipleAction" : true,                                          +
   "entityInfo" : {                                                  +
     "type" : "VM",                                                  +
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                 +
       "uuid" : "3c376686-4add-444d-91c0-3971d2696ae1"               +
     } ]                                                             +
   },                                                                +
   "taskGroupSuccess" : true,                                        +
   "vdsmTaskIds" : null,                                             +
   "executionIndex" : 0,                                             +
   "correlationId" : "42651919",                                     +
   "jobId" : null,                                                   +
   "stepId" : null,                                                  +
   "vdsId" : null,                                                   +
   "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", {        +
     "uuid" : "00000000-0000-0000-0000-000000000000"                 +
   } ],                                                              +
   "forceDelete" : false,                                            +
   "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", {      +
     "uuid" : "f1e164fa-2161-49ba-8d6c-930ed0b81a6e"                 +
   } ],                                                              +
   "isInternal" : false,                                             +
   "quotaId" : null,                                                 +
   "imageToDestinationDomainMap" : null,                             +
   "importAsNewEntity" : false,                                      +
   "forceOverride" : true,                                           +
   "copyCollapse" : true,                                            +
   "containerId" : [ "org.ovirt.engine.core.compat.Guid", {          +
     "uuid" : "3c376686-4add-444d-91c0-3971d2696ae1"                 +
   } ],                                                              +
   "templateMustExists" : false,                                     +
   "transactionScopeOption" : "Required",                            +
   "shouldBeLogged" : true,                                          +
   "executionReason" : "REGULAR_FLOW",                               +
   "sessionId" : "RL+UV2Taq6JgJng8BK0Dzlws.undefined"                +
 }
(1 row)

Just for comparision the parametersCurrentUser attribute when I export with the admin@internal user:
   "parametersCurrentUser" : {                                       +
     "groupIds" : "",                                                +
     "admin" : true,                                                 +
     "domainControler" : "internal",                                 +
     "userId" : [ "org.ovirt.engine.core.compat.Guid", {             +
       "uuid" : "fdfc627c-d875-11e0-90f0-83df133b58cc"               +
     } ],                                                            +
     "groupNames" : "",                                              +
     "firstName" : "admin",                                          +
     "surName" : null,                                               +
     "fqn" : "admin@internal",                                       +
     "userName" : "admin@internal",                                  +
     "password" : null                                               +
   },                                                                +


As your can see the password is shown as null and I would expect the same behavior with an AD authenticated user.

[root@ovirt1 ~]# rpm -qa | grep ovirt-engine
ovirt-engine-sdk-python-3.3.0.6-1.fc19.noarch
ovirt-engine-lib-3.3.0.1-1.fc19.noarch
ovirt-engine-tools-3.3.0.1-1.fc19.noarch
ovirt-engine-3.3.0.1-1.fc19.noarch
ovirt-engine-backend-3.3.0.1-1.fc19.noarch
ovirt-engine-websocket-proxy-3.3.0.1-1.fc19.noarch
ovirt-engine-dbscripts-3.3.0.1-1.fc19.noarch
ovirt-engine-cli-3.3.0.4-1.fc19.noarch
ovirt-engine-restapi-3.3.0.1-1.fc19.noarch
ovirt-engine-webadmin-portal-3.3.0.1-1.fc19.noarch
ovirt-engine-setup-3.3.0.1-1.fc19.noarch
ovirt-engine-userportal-3.3.0.1-1.fc19.noarch

I authenticate against a Samba 4.1.0 domain (self-compiled, CentOS 6.4) with the ActiveDirectory provider. I will check tomorrow if it behaves the same way against a new Windows Domain (2008r2). But nevertheless a password should never appear in plaintext.
Comment 3 Alexander Ludas 2013-10-14 19:10:37 EDT
Got the same result with the native Windows domain (2008r2). Password appears in plaintext.
Comment 4 Eli Mesika 2013-10-15 04:33:46 EDT
I saw some changes made to the related user data in commit 777ec447c33c631b73c2c5381d18c767c2b7647f 

However, doing again the check on a branch with the commit just before the above generated more similiar result as reported, but still w/o the password field :


engine_plaintextpasswd=> select action_parameters from async_tasks;
                          action_parameters                           
----------------------------------------------------------------------
 {                                                                   +
   "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+
   "commandId" : [ "org.ovirt.engine.core.compat.Guid", {            +
     "uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942"                 +
   } ],                                                              +
   "parametersCurrentUser" : {                                       +
     "groupIds" : "00000000-0000-0000-0000-000000000000",            +
     "userName" : "yair_group_member",                               +
     "userId" : [ "org.ovirt.engine.core.compat.Guid", {             +
       "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6"               +
     } ],                                                            +
     "domainControler" : "qa.lab.tlv.redhat.com",                    +
     "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group",        +
     "firstName" : "yair_group_member",                              +
     "surName" : null,                                               +
     "admin" : true                                                  +
   },                                                                +
   "compensationEnabled" : false,                                    +
   "parentCommand" : "Unknown",                                      +
   "commandType" : "ExportVm",                                       +
   "multipleAction" : true,                                          +
   "entityInfo" : {                                                  +
     "type" : "VM",                                                  +
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                 +
       "uuid" : "353da209-dfb3-40e8-b7da-380865750852"               +
     } ]                                                             +
   },                                                                +
   "taskGroupSuccess" : true,                                        +
   "vdsmTaskIds" : null,                                             +
   "executionIndex" : 0,                                             +
   "correlationId" : "49fd614d",                                     +
   "jobId" : null,                                                   +
   "stepId" : null,                                                  +
   "vdsId" : null,                                                   +
   "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", {        +
     "uuid" : "00000000-0000-0000-0000-000000000000"                 +
   } ],                                                              +
   "forceDelete" : false,                                            +
   "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", {      +
     "uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33"                 +
   } ],                                                              +
   "isInternal" : false,                                             +
   "quotaId" : null,                                                 +
   "imageToDestinationDomainMap" : null,                             +
   "importAsNewEntity" : false,                                      +
   "containerId" : [ "org.ovirt.engine.core.compat.Guid", {          +
     "uuid" : "353da209-dfb3-40e8-b7da-380865750852"                 +
   } ],                                                              +
   "copyCollapse" : false,                                           +
   "templateMustExists" : true,                                      +
   "forceOverride" : false,                                          +
   "shouldBeLogged" : true,                                          +
   "executionReason" : "REGULAR_FLOW",                               +
   "transactionScopeOption" : "Required",                            +
   "sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined"                +
 }
 {                                                                   +
   "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+
   "commandId" : [ "org.ovirt.engine.core.compat.Guid", {            +
     "uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942"                 +
   } ],                                                              +
   "parametersCurrentUser" : {                                       +
     "groupIds" : "00000000-0000-0000-0000-000000000000",            +
     "userName" : "yair_group_member",                               +
     "userId" : [ "org.ovirt.engine.core.compat.Guid", {             +
       "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6"               +
     } ],                                                            +
     "domainControler" : "qa.lab.tlv.redhat.com",                    +
     "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group",        +
     "firstName" : "yair_group_member",                              +
     "surName" : null,                                               +
     "admin" : true                                                  +
   },                                                                +
   "compensationEnabled" : false,                                    +
   "parentCommand" : "Unknown",                                      +
   "commandType" : "ExportVm",                                       +
   "multipleAction" : true,                                          +
   "entityInfo" : {                                                  +
     "type" : "VM",                                                  +
     "id" : [ "org.ovirt.engine.core.compat.Guid", {                 +
       "uuid" : "353da209-dfb3-40e8-b7da-380865750852"               +
     } ]                                                             +
   },                                                                +
   "taskGroupSuccess" : true,                                        +
   "vdsmTaskIds" : null,                                             +
   "executionIndex" : 0,                                             +
   "correlationId" : "49fd614d",                                     +
   "jobId" : null,                                                   +
   "stepId" : null,                                                  +
   "vdsId" : null,                                                   +
   "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", {        +
     "uuid" : "00000000-0000-0000-0000-000000000000"                 +
   } ],                                                              +
   "forceDelete" : false,                                            +
   "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", {      +
     "uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33"                 +
   } ],                                                              +
   "isInternal" : false,                                             +
   "quotaId" : null,                                                 +
   "imageToDestinationDomainMap" : null,                             +
   "importAsNewEntity" : false,                                      +
   "containerId" : [ "org.ovirt.engine.core.compat.Guid", {          +
     "uuid" : "353da209-dfb3-40e8-b7da-380865750852"                 +
   } ],                                                              +
   "copyCollapse" : false,                                           +
   "templateMustExists" : true,                                      +
   "forceOverride" : false,                                          +
   "shouldBeLogged" : true,                                          +
   "executionReason" : "REGULAR_FLOW",                               +
   "transactionScopeOption" : "Required",                            +
   "sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined"                +
 }
Comment 5 Barak 2013-10-15 04:40:07 EDT
Did you do the export VM through the webadmin or RestAPI ?
Comment 6 Alexander Ludas 2013-10-15 04:46:35 EDT
Webadmin
Comment 7 Alexander Ludas 2013-10-22 05:16:28 EDT
Created attachment 814911 [details]
Engine answer file
Comment 8 Alexander Ludas 2013-10-22 05:19:18 EDT
Created attachment 814913 [details]
Kickstart EL6 (C6.4)
Comment 9 Alexander Ludas 2013-10-22 05:34:45 EDT
Did a clean install in an isolated env with the same results.

There are only 2 things that might differ from other installs:
1. selinux off by default
2. firewall off by default

Steps to reproduce:
1. Kickstart VM for engine (see attached ks file)
2. engine-setup --config-append=engine-answers.txt
3. engine-manage-domains -action=add -provider=ActiveDirectory \ -domain=testdom.local -user=ovirt -passwordFile=passwd.txt
4. Restart engine, login to webadmin as admin and grant rights to a domain user
5. Add host
6. Create VM with preallocated disk and check async_tasks table during disk creation
Comment 10 Sandro Bonazzola 2013-11-06 11:01:11 EST
Moving target release to 3.3.2 since it's not fixed in 3.3.1 and not considered blocking.
Comment 11 Sandro Bonazzola 2013-11-28 10:33:57 EST
Re-targeting to 3.3.3 since the bug is not resolved in 3.3.2 beta and is not blocking 3.3.2 release tracker (bug #1027349)
Comment 12 Ravi Nori 2014-01-09 18:22:26 EST
This is a 3.3 only issue, the problem has been fixed by directory refactoring in current master (3.4)
Comment 13 Sandro Bonazzola 2014-02-14 04:56:49 EST
Closing as 3.3.3 has been released.

Note You need to log in before you can comment on or make changes to this bug.