1033213 – Do not print username and password to screen during sh foreman_server.sh

Bug 1033213 - Do not print username and password to screen during sh foreman_server.sh

Summary: Do not print username and password to screen during sh foreman_server.sh

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-foreman-installer
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	4.0
Assignee:	Jason Guiditta
QA Contact:	Omri Hochman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	RHOS-Foreman-Deployability
TreeView+	depends on / blocked

Reported:	2013-11-21 17:40 UTC by james labocki
Modified:	2013-12-20 00:37 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-foreman-installer-0.0.23-1.el6ost
Doc Type:	Known Issue
Doc Text:	The foreman-installer prints a known default user name and password to the console. As a result, because openstack-foreman-installer makes use of foreman-installer, a default user name and password are used, which get printed to the console when running openstack-foreman-installer. Workaround: You must change the password right after openstack-foreman-installer finishes (the installer prints a link to a page where the password can be changed). This replaces the password with an new (hidden) one, and anyone attempting to use the displayed password will not have access.
Clone Of:
Environment:
Last Closed:	2013-12-20 00:37:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2013:1859	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2013-12-21 00:01:48 UTC

Description james labocki 2013-11-21 17:40:47 UTC

When sh foreman_server.sh is executed it prints "Reset to user:admin, password:changeme" to the screen. Can you please not log this to the screen?

Comment 2 Liz 2013-11-21 20:06:01 UTC

James - I think I missed the point of this bug. Are we suggesting that this will be in the documentation only? I think it's nice to include the URL to the UI along with the default username and password for users who are just getting started.

Is it a security concern? I know there are notices saying that this password should be changed for security reasons if the environment will be kept up and running.

Just curious to hear more details.

Comment 3 Dominic Cleal 2013-11-22 10:48:57 UTC

This happens "by accident" as a consequence of a workaround we added for RHOS 3 (the resetting of the default user account) as there was a bug at the time (RC version of Foreman).

However the upstream Foreman installer - when not used via foreman_server.sh - will do this and does print the URL to the UI:

  Success!
  * Foreman is running at https://foreman.example.com
      Default credentials are 'admin:changeme'
  * Foreman Proxy is running at https://foreman.example.com:8443
  * Puppetmaster is running at port 8140
  The full log is at /var/log/foreman-installer/foreman-installer.log

Regarding the security aspect, we're addressing that via bug #979241.

I'd recommend we:
- remove the admin account reset, it's not required and could actually reset an existing install
- add a message like the Foreman installer itself does pointing to the UI, but keep the default password printing to the screen as long as it's a well known one (per Kurt's comment in the other BZ)
- review once bug #979241 is implemented

Comment 4 Jiri Stransky 2013-11-25 17:24:25 UTC

I submitted an upstream pull request with the temporary solution as Dominic suggested. https://github.com/redhat-openstack/astapor/pull/55

Complete resolution is tied to bug #979241 as he pointed out, so i'd say we need to synchronize the Target Release of these two bugs.

Comment 5 Jason Guiditta 2013-11-25 17:27:12 UTC

Merged upstream

Comment 9 Jason Guiditta 2013-12-12 18:24:35 UTC

This doc text looks reasonable to me, is anything further needed here?

Comment 10 Bruce Reeler 2013-12-12 23:44:25 UTC

Hi Jason, nope that was all, just wanted to ensure I had interpreted the original doc text correctly.
Thanks.

Comment 11 Ami Jeain 2013-12-18 20:55:25 UTC

verified:
checked that /usr/share/openstack-foreman-installer/bin/foreman_server.sh has the code changes specified in https://github.com/redhat-openstack/astapor/commit/f1b0f8e8f5d71d36b50b4bf6988e1e4fe3504196.

Comment 13 errata-xmlrpc 2013-12-20 00:37:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.