Bug 1019983 - Password entered into installer is written to dtgov-sramp-repo-seed-cli-commands.txt in plain text
Password entered into installer is written to dtgov-sramp-repo-seed-cli-comma...
Status: CLOSED CURRENTRELEASE
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: Installer (Show other bugs)
6.0.0 GA
Unspecified Unspecified
unspecified Severity urgent
: ER7
: ---
Assigned To: Thomas Hauser
Len DiMaggio
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-16 13:56 EDT by Len DiMaggio
Modified: 2014-02-06 10:29 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Len DiMaggio 2013-10-16 13:56:27 EDT
Description of problem:

dtgov-sramp-repo-seed-cli-commands.txt
    connect http://localhost:8080/s-ramp-server admin password1#

Version-Release number of selected component (if applicable):
ER4

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Thomas Hauser 2013-10-21 14:17:09 EDT
Being able to mask this password is dependent upon some configuration / rework of S-RAMP and DT Gov
Comment 3 Eric Wittmann 2013-10-29 09:04:59 EDT
Alas we don't have anything in place to mask this password.  Instead I think the installer should:

1) make a copy of the file
2) update the copy with the admin credentials entered by the user in the installer
3) execute the copy
4) delete the copy

This will leave the original file in place in case the user ever needs to manually execute it.

The S-RAMP CLI has been updated so that if the username/password are missing from the command file, the CLI will prompt the user for the username/password.  This should make executing this file manually a little bit easier.
Comment 5 Thomas Hauser 2013-11-14 10:26:07 EST
Changes should be present in ER7. Need the full build for confirmation.
Comment 6 Thomas Hauser 2013-12-13 13:00:13 EST
The ER7-2 installer has the following procedure implemented:

a) Create a copy of the original file with plaintext credentials
Successfully wrote /home/thauser/FSW/jboss-eap-6.1/dtgov-sramp-repo-seed-cli-commands.txtTEMP

b) Run the seeding command with this file:
Running command:[java, -Xmx1024m, -jar, bin/s-ramp-shell-0.3.1.Final-redhat-4.jar, -f, dtgov-sramp-repo-seed-cli-commands.txtTEMP]

c) Remove this file after installation.

End results: Original file contains no credentials, SRAMP seeding succeeds.
Comment 7 Len DiMaggio 2013-12-13 15:35:30 EST
Verified in ER7-2:

cat dtgov-sramp-repo-seed-cli-commands.txt 
connect http://localhost:8080/s-ramp-server
ontology:upload dtgov-data/deployment-status.owl
ontology:upload dtgov-data/project-review-status.owl

Note You need to log in before you can comment on or make changes to this bug.