Bug 1128929 - unable to use encoded property in rhq-server.property
Summary: unable to use encoded property in rhq-server.property
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: Installer
Version: JON 3.3.0
Hardware: x86_64
OS: All
unspecified
high
Target Milestone: ER02
: JON 3.3.0
Assignee: Stefan Negrea
QA Contact: Viet Nguyen
URL:
Whiteboard:
Depends On:
Blocks: JON3-40, PRODMGT-411
TreeView+ depends on / blocked
 
Reported: 2014-08-11 21:17 UTC by Viet Nguyen
Modified: 2014-12-17 13:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-17 13:47:50 UTC
Type: Bug


Attachments (Terms of Use)

Description Viet Nguyen 2014-08-11 21:17:26 UTC
Description of problem:
I was hoping to use encoded db user name in rhq-server.properties

# encoded value for 'rhqadmin'
rhq.server.database.user-name=RESTRICTED::1eeb2f255e832171df8592078de921bc


The server failed to start due to password authentication error.  It seemed encoded value is being used as is without decoding.


server.log
---
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) [rt.jar:1.7.0_65]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_65]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_65]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
Caused by: org.postgresql.util.PSQLException: FATAL: password authentication failed for user "RESTRICTED::1eeb2f255e832171df8592078de921bc"
        at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:398)
        at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:173)
        at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
        at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)


Version-Release number of selected component (if applicable):
3.3.DR01

How reproducible:
100%

Steps to Reproduce:
1. Perform basic installation (rhqctl install --server --storage)
2. Replace rhqadmin with encoded value
 rhq.server.database.user-name=RESTRICTED::1eeb2f255e832171df8592078de921bc

3. start server

Actual results:
server failed to start

Expected results:
server should be able to use encoded value for db property

Additional info:

Comment 1 Heiko W. Rupp 2014-08-12 08:33:54 UTC
Is "rhq.server.database.**user-name**"  a typo above? I do not think that encoded usernames are supported, only the passwords.

JON3-40 only talks about passwords not user names.
Also Bug 1022289 (GEN-001) only talks about passwords.

And then from using rhq-encode-password, I get the impression that using the form with RESTRICTED in it (like above) is not right for the db-password:



snert:rhq-server hrupp$ bin/rhq-encode-password.sh
10:21:48,950 INFO  [org.jboss.modules] JBoss Modules version 1.3.0.Final-redhat-2
Password: rhqadmin
Property rhq.autoinstall.server.admin.password [y/n]: n
Property rhq.server.database.password [y/n]: y
10:22:01,529 INFO  [org.rhq.enterprise.server.installer.Installer] *** Encoded password for rhq-server.properties:
10:22:01,529 INFO  [org.rhq.enterprise.server.installer.Installer] ***     rhq.server.database.password=1eeb2f255e832171df8592078de921bc

Comment 2 Viet Nguyen 2014-08-12 14:53:23 UTC
Perhaps I misinterpreted the scope of the feature - the ability to encode arbitrary properties.  The wiki describes a broader scope ie "protect sensitive server+agent configuration"

https://docs.jboss.org/author/display/RHQ/Protect+Sensitive+Server+And+Agent+Configuration

Comment 3 Jay Shaughnessy 2014-08-20 20:54:49 UTC
I agree that the wiki page is confusing.  It seems to indicate that lots of things can be encoded when actually only a strict set of values can be, only the ones that need to be for security reasons.  At this point the only two I know of that can be preset in the rhq-server.properties are the RDB password and the rhqadmin superuser password.

If not encoded and set there in advance, rhqctl will prompt for plain-text values to be entered interactively.

There are several other passwords set in the rhq-server.properties file, but they are internal (not user-provided) and generated by us at install-time.

I'm asking Stefan to perhaps re-visit that wiki page, but this is not any sort of coding bug.

Comment 4 Stefan Negrea 2014-08-22 13:50:32 UTC
This is a bug. I need to investigate why the username is not properly decoded at retrieval. The feature was extended to any arbitrary properties (with a few noted exceptions) because it was free (no additional coding needed).

Comment 5 Jay Shaughnessy 2014-08-26 21:27:25 UTC
Master commit 9d3a214da79e48fcad8053b8ee879f05a420862e
Author: Stefan Negrea <snegrea@redhat.com>
Date:   Tue Aug 26 12:41:22 2014 -0500

    [BZ 1128929] Update verbiage to clarify what files need to be updated.

Master commit 269d0566850de6617b185b030df22e4d906b21b8
Author: Stefan Negrea <snegrea@redhat.com>
Date:   Tue Aug 26 14:44:54 2014 -0500

    [BZ 1128929] One more revision to clarify that the encode utility can

------------

Release/jon3.3.x commit 864403d041e10d9e08c31bbb3d30565f7341f98d
Author: Stefan Negrea <snegrea@redhat.com>
Date:   Tue Aug 26 12:41:22 2014 -0500

    (cherry picked from commit 9d3a214da79e48fcad8053b8ee879f05a420862e)
    Signed-off-by: Jay Shaughnessy <jshaughn@redhat.com>

Release/jon3.3.x commit ff5484fbd5325ce90b9c08bbbcdc53c03c5a299e
Author: Stefan Negrea <snegrea@redhat.com>
Date:   Tue Aug 26 14:44:54 2014 -0500

    (cherry picked from commit 269d0566850de6617b185b030df22e4d906b21b8)
    Signed-off-by: Jay Shaughnessy <jshaughn@redhat.com>

Comment 6 Stefan Negrea 2014-08-26 21:55:09 UTC
After further investigation, this is not a bug. The obfuscated property from rhq-server.properties is used in two place in standalone-full.xml. When a property from rhq-server.properties is used in the container configuration file, the restricted format needs to be applied in both configuration files.

By obfuscating just the property in rhq-server.properties, the container configuration was broken. This detail was not mentioned in the initial documentation or the output of the obfuscation tool. I updated the wiki with clarifications and examples; I also updated the obfuscation tool with a note regarding this.

Also, to reduce confusion the tool for obsfucation was renamed from rhq-encode-password.[sh|bat] to rhq-encode-value.[sh|bat]. This will make it clear that it can be used now to encode property value not just passwords.

Comment 7 Viet Nguyen 2014-08-27 14:27:38 UTC
Will retest in next build

Comment 8 Simeon Pinder 2014-09-03 20:31:54 UTC
Moving to ON_QA as available for test with the following brew build:
https://brewweb.devel.redhat.com//buildinfo?buildID=381194

Comment 9 Simeon Pinder 2014-09-18 15:07:59 UTC
Summary: The new encode tool name is rhq-encode-value.sh instead of rhq-encode-password.sh(changed in ER02 after DR01 which is initial version reported against). Retest this BZ with that clarification. Leaving this ON_QA.

Detailed:
After some investigation and looking at https://bugzilla.redhat.com/show_bug.cgi?id=1128929#c1 and https://bugzilla.redhat.com/show_bug.cgi?id=1128929#c6 it looks like the confusion comes from the fact that the encode tool's name was changed and the documentation did not clarify the change. 
### See the following listing of the encode tool for ER0*
[spinder@fulliautomatix jon]$ ls -al jon-3.3.0.ER0*/jon-server-3.3.0.ER0*/bin/rhq-encode-*.sh
-rwxr-xr-x. 1 spinder spinder 1310 Aug 19 15:21 jon-3.3.0.ER01/jon-server-3.3.0.ER01/bin/rhq-encode-password.sh
-rwxr-xr-x. 1 spinder spinder 1307 Sep  2 13:03 jon-3.3.0.ER02/jon-server-3.3.0.ER02/bin/rhq-encode-value.sh
-rwxr-xr-x. 1 spinder spinder 1639 Sep 16 14:38 jon-3.3.0.ER03/jon-server-3.3.0.ER03/bin/rhq-encode-value.sh

Productized builds did pick up the old and new scripts as expected. Leaving this ON_QA.


Note You need to log in before you can comment on or make changes to this bug.