Description of problem: Providing a root password in the customize tab is logged in clear text. [----] I, [2015-06-30T16:38:04.334311 #3605:b93ea8] INFO -- : Q-task_id([miq_provision_12000000000018]) MIQ(MiqProvisionRedhat#log_clone_options) Prov Options: [:dns_servers](String) = "8.8.8.83" [----] I, [2015-06-30T16:38:04.334370 #3605:b93ea8] INFO -- : Q-task_id([miq_provision_12000000000018]) MIQ(MiqProvisionRedhat#log_clone_options) Prov Options: [:dns_suffixes](NilClass) = nil [----] I, [2015-06-30T16:38:04.334429 #3605:b93ea8] INFO -- : Q-task_id([miq_provision_12000000000018]) MIQ(MiqProvisionRedhat#log_clone_options) Prov Options: [:root_password](String) = "smartvm" [----] I, [2015-06-30T16:38:04.334499 #3605:b93ea8] INFO -- : Q-task_id([miq_provision_12000000000018]) MIQ(MiqProvisionRedhat#log_clone_options) Prov Options: [:addr_mode][0](String) = "dhcp" [----] I, [2015-06-30T16:38:04.334561 #3605:b93ea8] INFO -- : Q-task_id([miq_provision_12000000000018]) MIQ(MiqProvisionRedhat#log_clone_options) Prov Options: [:addr_mode][1](String) = "DHCP" Version-Release number of selected component (if applicable): 5.4.0.5 How reproducible: very Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The dumpObj method allows for a options hash which can define "protected" filters. This needs to be implemented in the calls where we are dumping the provision options. See /vmdb/app/models/miq_provision_vmware/cloning.rb and vmdb/app/models/miq_provision_task_configured_system_foreman/options_helper.rb for examples. The workflow has a class method that defines the protected fields for a task (self.encrypted_options_fields) which we might want to use to ensure new fields are hidden if they are added. The workflow could be loaded from the task using the MiqProvisionWorkflow.class_for_source(source) method.
New commit detected on manageiq/master: https://github.com/ManageIQ/manageiq/commit/58e3ffcaef48b7e662a6341f49378c7399f3f4b0 commit 58e3ffcaef48b7e662a6341f49378c7399f3f4b0 Author: Keenan Brock <kbrock> AuthorDate: Mon Jul 6 16:02:59 2015 -0400 Commit: Keenan Brock <kbrock> CommitDate: Tue Jul 7 10:53:25 2015 -0400 Don't log provisioning passwords from options leverage workflow's encryption_option_fields to filter options sent to dumpObject https://bugzilla.redhat.com/show_bug.cgi?id=1238391 app/models/miq_provision_amazon/cloning.rb | 2 +- app/models/miq_provision_microsoft/cloning.rb | 2 +- app/models/miq_provision_openstack/cloning.rb | 2 +- app/models/miq_provision_redhat/cloning.rb | 2 +- app/models/miq_provision_vmware/cloning.rb | 2 +- app/models/miq_request_workflow.rb | 4 ++++ app/models/mixins/miq_provision_mixin.rb | 6 +++++- spec/models/miq_provision_redhat_spec.rb | 16 ++++++++++++++++ 8 files changed, 30 insertions(+), 6 deletions(-)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:2551