Description of problem: While thinking about what work bug 1169098 will require, I also thought about whether we have there new secrets to manage/filter/obfuscate/etc. I think that if at all possible, code doing that for secrets (e.g. in log-collector, populating otopi's LOG_FILTER_KEYS in setup, etc) should be able to use meta-data defined near the key definitions, e.g. having something like: @osetupattrs( secret=True, ) def STORE_PASS(self): return 'OVESETUP_PKI/storePassword'
Closing old RFEs.
I'd rather fix it. Not sure it's easy to do for both engine-setup and log-collector at once, but doing for engine-setup-only should be easy, and would have helped prevent e.g. bug 1371613 and bug 1363816. Once we do that, I also thought it will be useful to automatically filter in otopi every env key whose name includes 'password', 'secret', 'private', etc., unless proactively un-filtered (which will require a bit more work, but not much).
(In reply to Yedidyah Bar David from comment #2) > I'd rather fix it. Not sure it's easy to do for both engine-setup and > log-collector at once, but doing for engine-setup-only should be easy, and > would have helped prevent e.g. bug 1371613 and bug 1363816. Once we do that, > I also thought it will be useful to automatically filter in otopi every env > key whose name includes 'password', 'secret', 'private', etc., unless > proactively un-filtered (which will require a bit more work, but not much). If you have the resources, I'm fine with fixing it.
Only user-visible change is that OVESETUP_CONFIG/remoteEngineHostRootPassword should now be added to CORE/logFilterKeys a tiny bit earlier (as can be seen in the engine-setup log file).
ok, ovirt-engine-setup-4.2.0-0.0.master.20171012160334.git6fb4578.el7.centos.noarch 4.2 2017-10-13 15:08:45,060+0200 DEBUG otopi.plugins.otopi.core.log log._validation:384 _filtered_keys_at_setup: ['OVESETUP_DWH_DB/password', 'OVESETUP_DB/password', 'OVESETUP_CONFIG/remoteEngineHostRootPassword', 'OVESETUP_DB/password', 'OVESETUP_PKI/storePassword', 'OVESETUP_CONFIG/adminPassword', 'OVESET UP_OVN/ovirtProviderOvnSecret'] vs 4.1 2016-08-20 00:08:58 DEBUG otopi.context context.dumpEnvironment:770 ENV CORE/logFilterKeys=list:'['OVESETUP_DB/password', 'OVESETUP_DWH_DB/password', 'OVESETUP_DB/password', 'OVESETUP_CONFIG/adminPassword', 'OVESETUP_PKI/storePassword', 'OVESETUP_CONFIG/remoteEngineHostRootPassword']'
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.