Bug 1035826 - Do not collect .pgpass files from RHEV-M.
Summary: Do not collect .pgpass files from RHEV-M.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-log-collector
Version: 3.2.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 3.4.0
Assignee: Sandro Bonazzola
QA Contact: Petr Beňas
URL:
Whiteboard: integration
Depends On: 1052854
Blocks: 1060670 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2013-11-28 15:09 UTC by Lee Yarwood
Modified: 2015-01-04 23:05 UTC (History)
11 users (show)

Fixed In Version: ovirt-3.4.0-beta2
Doc Type: Bug Fix
Doc Text:
Previously, sensitive values in configuration files would be collected in reports collected by the engine-log-collector utility. Now, sensitive values are filtered out of such reports.
Clone Of:
: 1060670 (view as bug list)
Environment:
Last Closed: 2014-06-09 14:06:12 UTC
oVirt Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0668 0 normal SHIPPED_LIVE rhevm-log-collector bug fix and enhancement update 2014-06-09 18:03:59 UTC
oVirt gerrit 22308 0 None None None Never
oVirt gerrit 23916 0 None None None Never

Description Lee Yarwood 2013-11-28 15:09:54 UTC 
Description of problem:
Do not collect .pgpass files from engine.

Version-Release number of selected component (if applicable):
rhevm-log-collector-3.2.2-4.el6ev.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Collect a full RHEV-M log collector.
2. /etc/ovirt-engine/.pgpass file collected with plain text passwords for postgresql users still inside.
3.

Actual results:
/etc/ovirt-engine/.pgpass collected.

Expected results:
/etc/ovirt-engine/.pgpass not collected or passwords removed.

Additional info:
Comment 2 Sandro Bonazzola 2013-12-11 20:18:38 UTC 
While upgrading from 3.2.z to 3.3.z the legacy .pgpass file is emptied.
It's content is now stored in other files.
So for 3.3.z we can just not archive that file and filter password for the new configuration files.

Lee do we need this back ported also to 3.2.z?
Comment 8 Lee Yarwood 2013-12-16 20:33:39 UTC 
(In reply to Sandro Bonazzola from comment #2)
> Lee do we need this back ported also to 3.2.z?

No, 3.3 only is fine.
Comment 9 Sandro Bonazzola 2014-01-30 15:44:54 UTC 
Merged on upstream master, pushed to 3.4 branch.
Comment 10 Sandro Bonazzola 2014-02-03 10:01:32 UTC 
merged on upstream 3.4 branch.
Comment 12 Petr Beňas 2014-02-25 10:13:30 UTC 
Verified in ovirt-log-collector-3.4.0-0.5.beta3.el6.noarch.

[root@pb-rh34 pb-rh34-2014022414261393248410]# grep PASS etc/ovirt-engine/engine.conf.d/10-setup-database.conf
ENGINE_DB_PASSWORD=********
Comment 14 errata-xmlrpc 2014-06-09 14:06:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0668.html
Note You need to log in before you can comment on or make changes to this bug.