Hide Forgot
Description of problem: Passwords appear in plaintext in async_tasks database. When you have database access you can collect passwords from every domain user who runs oVirt tasks. How reproducible: Always Steps to Reproduce: - Login with ActiveDirectory account - e.g. export vm - select action_parameters from async_tasks; Actual results: Password appears in plaintext Expected results: Password should be filtered or hashed
I have tried to reproduce the scenario with AD user yair_group_member, I was unable to see any password in the query result as stated in the bug description. While exporting my VM that had 1 nic and 2 disks 1 with Thin Provisioning and the other pre-allocated both sizes are 1GB , I had run the query : engine_1017267=> select action_parameters from async_tasks; action_parameters ------------------------------------------------------------------------ { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters", + "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb" + } ], + "parametersCurrentUser" : { + "@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+ "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "externalId" : { + "bytes" : "V5RFn+FrQBW8r5pharoGxg==" + }, + "domain" : "qa.lab.tlv.redhat.com", + "loginName" : "yair_group_member", + "firstName" : "yair_group_member", + "lastName" : null, + "department" : null, + "role" : "", + "email" : null, + "note" : "", + "status" : 1, + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "groupIds" : "00000000-0000-0000-0000-000000000000", + "admin" : true, + "ldapStatus" : "Active", + "group" : false + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "79a3c8f9", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ], + "templateMustExists" : true, + "forceOverride" : false, + "copyCollapse" : false, + "sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined", + "shouldBeLogged" : true, + "transactionScopeOption" : "Required", + "executionReason" : "REGULAR_FLOW" + } { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters", + "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "ed49ce31-c0ff-4b80-9258-f5335db8a9bb" + } ], + "parametersCurrentUser" : { + "@class" : "org.ovirt.engine.core.common.businessentities.DbUser",+ "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "externalId" : { + "bytes" : "V5RFn+FrQBW8r5pharoGxg==" + }, + "domain" : "qa.lab.tlv.redhat.com", + "loginName" : "yair_group_member", + "firstName" : "yair_group_member", + "lastName" : null, + "department" : null, + "role" : "", + "email" : null, + "note" : "", + "status" : 1, + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "groupIds" : "00000000-0000-0000-0000-000000000000", + "admin" : true, + "ldapStatus" : "Active", + "group" : false + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "79a3c8f9", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "d7925cab-99a1-4145-8bc8-3cd8c5fc9073" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "a30328ac-8977-48ad-83be-d5a6300a8f05" + } ], + "templateMustExists" : true, + "forceOverride" : false, + "copyCollapse" : false, + "sessionId" : "Z0j0vXZekQLwB2hTZ7KQ6uAI.undefined", + "shouldBeLogged" : true, + "transactionScopeOption" : "Required", + "executionReason" : "REGULAR_FLOW" + } (2 rows)
Your output has a lot more attributes than mine. action_parameters ---------------------------------------------------------------------- { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+ "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "c8b3e644-238a-443d-b96b-cd3a7b256fd7" + } ], + "parametersCurrentUser" : { + "groupIds" : "", + "admin" : true, + "domainControler" : "example.com", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "78a77a90-0a81-4dcd-acf7-06abcbdba1a5" + } ], + "groupNames" : "", + "firstName" : "Alexander", + "surName" : "Ludas", + "fqn" : "aludas", + "userName" : "aludas", + "password" : "PLAINTEXTPASSWORD" + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3c376686-4add-444d-91c0-3971d2696ae1" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "42651919", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "f1e164fa-2161-49ba-8d6c-930ed0b81a6e" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "forceOverride" : true, + "copyCollapse" : true, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3c376686-4add-444d-91c0-3971d2696ae1" + } ], + "templateMustExists" : false, + "transactionScopeOption" : "Required", + "shouldBeLogged" : true, + "executionReason" : "REGULAR_FLOW", + "sessionId" : "RL+UV2Taq6JgJng8BK0Dzlws.undefined" + } (1 row) Just for comparision the parametersCurrentUser attribute when I export with the admin@internal user: "parametersCurrentUser" : { + "groupIds" : "", + "admin" : true, + "domainControler" : "internal", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "fdfc627c-d875-11e0-90f0-83df133b58cc" + } ], + "groupNames" : "", + "firstName" : "admin", + "surName" : null, + "fqn" : "admin@internal", + "userName" : "admin@internal", + "password" : null + }, + As your can see the password is shown as null and I would expect the same behavior with an AD authenticated user. [root@ovirt1 ~]# rpm -qa | grep ovirt-engine ovirt-engine-sdk-python-3.3.0.6-1.fc19.noarch ovirt-engine-lib-3.3.0.1-1.fc19.noarch ovirt-engine-tools-3.3.0.1-1.fc19.noarch ovirt-engine-3.3.0.1-1.fc19.noarch ovirt-engine-backend-3.3.0.1-1.fc19.noarch ovirt-engine-websocket-proxy-3.3.0.1-1.fc19.noarch ovirt-engine-dbscripts-3.3.0.1-1.fc19.noarch ovirt-engine-cli-3.3.0.4-1.fc19.noarch ovirt-engine-restapi-3.3.0.1-1.fc19.noarch ovirt-engine-webadmin-portal-3.3.0.1-1.fc19.noarch ovirt-engine-setup-3.3.0.1-1.fc19.noarch ovirt-engine-userportal-3.3.0.1-1.fc19.noarch I authenticate against a Samba 4.1.0 domain (self-compiled, CentOS 6.4) with the ActiveDirectory provider. I will check tomorrow if it behaves the same way against a new Windows Domain (2008r2). But nevertheless a password should never appear in plaintext.
Got the same result with the native Windows domain (2008r2). Password appears in plaintext.
I saw some changes made to the related user data in commit 777ec447c33c631b73c2c5381d18c767c2b7647f However, doing again the check on a branch with the commit just before the above generated more similiar result as reported, but still w/o the password field : engine_plaintextpasswd=> select action_parameters from async_tasks; action_parameters ---------------------------------------------------------------------- { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+ "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942" + } ], + "parametersCurrentUser" : { + "groupIds" : "00000000-0000-0000-0000-000000000000", + "userName" : "yair_group_member", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "domainControler" : "qa.lab.tlv.redhat.com", + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "firstName" : "yair_group_member", + "surName" : null, + "admin" : true + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "49fd614d", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ], + "copyCollapse" : false, + "templateMustExists" : true, + "forceOverride" : false, + "shouldBeLogged" : true, + "executionReason" : "REGULAR_FLOW", + "transactionScopeOption" : "Required", + "sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined" + } { + "@class" : "org.ovirt.engine.core.common.action.MoveVmParameters",+ "commandId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "3970cd41-e53b-4fc4-95ab-55b1b504e942" + } ], + "parametersCurrentUser" : { + "groupIds" : "00000000-0000-0000-0000-000000000000", + "userName" : "yair_group_member", + "userId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "5794459f-e16b-4015-bcaf-9a616aba06c6" + } ], + "domainControler" : "qa.lab.tlv.redhat.com", + "groupNames" : "qa.lab.tlv.redhat.com/Users/yair_group", + "firstName" : "yair_group_member", + "surName" : null, + "admin" : true + }, + "compensationEnabled" : false, + "parentCommand" : "Unknown", + "commandType" : "ExportVm", + "multipleAction" : true, + "entityInfo" : { + "type" : "VM", + "id" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ] + }, + "taskGroupSuccess" : true, + "vdsmTaskIds" : null, + "executionIndex" : 0, + "correlationId" : "49fd614d", + "jobId" : null, + "stepId" : null, + "vdsId" : null, + "storagePoolId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "00000000-0000-0000-0000-000000000000" + } ], + "forceDelete" : false, + "storageDomainId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "2697a709-be06-4fd8-b406-5b74f88b5a33" + } ], + "isInternal" : false, + "quotaId" : null, + "imageToDestinationDomainMap" : null, + "importAsNewEntity" : false, + "containerId" : [ "org.ovirt.engine.core.compat.Guid", { + "uuid" : "353da209-dfb3-40e8-b7da-380865750852" + } ], + "copyCollapse" : false, + "templateMustExists" : true, + "forceOverride" : false, + "shouldBeLogged" : true, + "executionReason" : "REGULAR_FLOW", + "transactionScopeOption" : "Required", + "sessionId" : "cFxJE4WXuj4S5CkEmlGWFwlZ.undefined" + }
Did you do the export VM through the webadmin or RestAPI ?
Webadmin
Created attachment 814911 [details] Engine answer file
Created attachment 814913 [details] Kickstart EL6 (C6.4)
Did a clean install in an isolated env with the same results. There are only 2 things that might differ from other installs: 1. selinux off by default 2. firewall off by default Steps to reproduce: 1. Kickstart VM for engine (see attached ks file) 2. engine-setup --config-append=engine-answers.txt 3. engine-manage-domains -action=add -provider=ActiveDirectory \ -domain=testdom.local -user=ovirt -passwordFile=passwd.txt 4. Restart engine, login to webadmin as admin and grant rights to a domain user 5. Add host 6. Create VM with preallocated disk and check async_tasks table during disk creation
Moving target release to 3.3.2 since it's not fixed in 3.3.1 and not considered blocking.
Re-targeting to 3.3.3 since the bug is not resolved in 3.3.2 beta and is not blocking 3.3.2 release tracker (bug #1027349)
This is a 3.3 only issue, the problem has been fixed by directory refactoring in current master (3.4)
Closing as 3.3.3 has been released.