Bug 1070339 - ovirt-engine-dwh-setup does not handle escape characters in the 10-setup-database.conf ENGINE_DB_PASSWORD
Summary: ovirt-engine-dwh-setup does not handle escape characters in the 10-setup-data...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-dwh
Version: 3.3.0
Hardware: All
OS: Linux
urgent
high
Target Milestone: ---
: 3.4.0
Assignee: Yedidyah Bar David
QA Contact: Barak Dagan
URL:
Whiteboard: integration
Depends On:
Blocks: 1072406 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2014-02-26 15:58 UTC by James W. Mills
Modified: 2019-04-28 09:46 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the ovirt-engine-dwh-setup command would fail under certain conditions. This would occur when the password specified for the internal admin user for the Red Hat Enterprise Virtualization Manager contained special characters. While passwords would be correctly escaped in the 10-setup-database.conf file, the ovirt-engine-dwh-setup command would not detect the '\' escape character, resulting in an authentication error. Now, this logic has been revised so that special characters are correctly parsed, making it possible for the ovirt-engine-dwh-setup command to complete successfully.
Clone Of:
: 1072406 (view as bug list)
Environment:
Last Closed: 2014-06-09 15:18:27 UTC
oVirt Team: ---
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 736053 0 None None None Never
Red Hat Product Errata RHEA-2014:0601 0 normal SHIPPED_LIVE rhevm-dwh 3.4 bug fix and enhancement update 2014-06-09 19:15:53 UTC
oVirt gerrit 25252 0 None None None Never

Description James W. Mills 2014-02-26 15:58:55 UTC
Description of problem:

When rhevm is configured using a password with a special character, that character is escaped in 10-setup-database.conf.  However, ovirt-engine-dwh-setup does not honor the '/' as an escape character and fails to run.



Version-Release number of selected component (if applicable):

* rhevm-setup-3.3.0-0.46.el6ev.noarch
* rhevm-dwh-3.3.0-29.el6ev.noarch

How reproducible:

100%

Steps to Reproduce:
1. Manually create the engine user and database:

postgres=# create user engine password '123$576';
postgres=# create database engine owner engine template template0
          encoding 'UTF8' lc_collate 'en_US.UTF-8'
          lc_ctype 'en_US.UTF-8';


2. Run engine-setup, entering '123$576' when prompted for the engine DB password
3. Run ovirt-engine-dwh-setup

Actual results:

It fails immediately with:

2014-02-26 15:52:33::DEBUG::common_utils::907::root:: Executing command --> '/usr/bin/psql --pset=tuples_only=on --set ON_ERROR_STOP=1 --dbname engine --host localhost --port 5432 --username engine -w -c copy (
        select option_value from vdc_options
        where option_name like 'MinimalETLVersion'
    ) to stdout with csv header;' in working directory '/usr/share/ovirt-engine-dwh'
2014-02-26 15:52:33::DEBUG::common_utils::962::root:: output = 
2014-02-26 15:52:33::DEBUG::common_utils::963::root:: stderr = psql: FATAL:  password authentication failed for user "engine"


Expected results:

It runs successfully

Additional info:

After engine-setup is run, the ENGINE_DB_PASSWORD looks like this:

ENGINE_DB_PASSWORD="123\$576"

Analyzing the contents of db_dict, we see:

{'username': 'engine_history', 'engine_db': 'engine', 'engine_pass': '123\\$576', 'engine_user': 'engine', 'readonly': None, 'port': '5432', 'host': 'localhost', 'password': '3202kFbN', 'dbname': 'ovirt_engine_history'}

The ovirt-engine-dwh-setup script is interpreting the '/' escaping the '$' as a normal character, and then escaping it.

Comment 1 James W. Mills 2014-02-26 16:13:39 UTC
Th workaround for this is to edit '10-setup-database.conf', remove the '/', run ovirt-engine-dwh-setup, then edit '10-setup-database.conf' again and add the '/' back.

Comment 6 Barak Dagan 2014-03-09 12:14:26 UTC
I can't even connect to the PG DB using $ in the password:

#psql -U postgres -d engine -c "ALTER USER engine WITH PASSWORD '123456';"
ALTER ROLE

# psql -h 'myhost' -U engine
Password for user engine: 
psql (8.4.20, server 8.4.18)
Type "help" for help.

engine=> 


#psql -U postgres -d engine -c "ALTER USER engine WITH PASSWORD '123$56';"
ALTER ROLE

# psql -h 'myhost' -U engine
Password for user engine: 
psql: FATAL:  password authentication failed for user "engine".

What am I missing ?

Comment 7 Yedidyah Bar David 2014-03-09 12:40:15 UTC
(In reply to Barak Dagan from comment #6)
> I can't even connect to the PG DB using $ in the password:
> 
> #psql -U postgres -d engine -c "ALTER USER engine WITH PASSWORD '123456';"
> ALTER ROLE
> 
> # psql -h 'myhost' -U engine
> Password for user engine: 
> psql (8.4.20, server 8.4.18)
> Type "help" for help.
> 
> engine=> 
> 
> 
> #psql -U postgres -d engine -c "ALTER USER engine WITH PASSWORD '123$56';"

Did you type this command as-is?

> ALTER ROLE
> 
> # psql -h 'myhost' -U engine
> Password for user engine: 
> psql: FATAL:  password authentication failed for user "engine".
> 
> What am I missing ?

$5 will be eaten by the shell, probably replaced by '', so in effect you changed the password to 12346 . Use escapes/quoting/etc.

Comment 8 Barak Dagan 2014-03-09 15:25:36 UTC
Verified on av2.1:

postgres=# "ALTER USER engine WITH PASSWORD '1234%6';

/etc/ovirt-engine/engine.conf.d/10-setup-database.conf:
ENGINE_DB_USER="engine"
ENGINE_DB_PASSWORD="1234%6"
ENGINE_DB_DATABASE="engine"

DWH installation passed successfuly.

Comment 9 Barak Dagan 2014-03-10 12:33:44 UTC
Verified on av2.1:

postgres=# "ALTER USER engine WITH PASSWORD '123$56';

/etc/ovirt-engine/engine.conf.d/10-setup-database.conf:
ENGINE_DB_USER="engine"
ENGINE_DB_PASSWORD="123\$56"
ENGINE_DB_DATABASE="engine"

DWH installation passed successfuly.

Comment 10 Yedidyah Bar David 2014-05-07 06:33:38 UTC
Andrew, note that this bug is actually on 3.3, cloned and fixed in 3.3.2, and the original (this one) was left mainly for verification. Not sure it really needs a doc text. If we do want one, consider that {rhevm,ovirt-engine}-{dwh,reports}-setup were replaced by 'engine-setup' which does everything (using plugins). Also note that the escape char is '\' and not '/'. So we might have something like:

Previously, the ovirt-engine-dwh-setup command would fail under certain conditions. This would occur when the password specified for the internal admin user for the Red Hat Enterprise Virtualization Manager contained special characters. While passwords would be correctly escaped in the 10-setup-database.conf file, the ovirt-engine-dwh-setup command would not detect the '\' escape character, resulting in an authentication error. The ovirt-engine-dwh-setup command is obsoleted by this release, and its functionality is contained in the 'engine-setup' command, which does not suffer from this bug.

Same for bug #1070344.

Comment 11 Andrew Dahms 2014-05-09 04:55:35 UTC
Hi Yedidyah,

Thank you for your message.

Yes, I recall a similar bug to this one being listed in an older advisory, and I would be happy to take this one from the list if you feel there is not a strong case for having doc text for this one as well.

I will change the requires_doc_text flag to '-' for now, but please let me know if you feel some form of documentation is needed later on. I will also correct the escape character used to ensure it reflects your feedback, just in case.

Please let me know if you have any other concerns or if there are any other bugs you feel might not need doc text.

Kind regards,

Andrew

Comment 12 errata-xmlrpc 2014-06-09 15:18:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0601.html


Note You need to log in before you can comment on or make changes to this bug.