Bug 1331556 - Detect Undercloud logs cleartext undercloud password to production.log
Summary: Detect Undercloud logs cleartext undercloud password to production.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Quickstart Cloud Installer
Classification: Red Hat
Component: fusor-server
Version: 1.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ga
: 1.0
Assignee: Derek Whatley
QA Contact: Tasos Papaioannou
URL:
Whiteboard:
Depends On:
Blocks: qci-sprint-17
TreeView+ depends on / blocked
 
Reported: 2016-04-28 19:24 UTC by Tasos Papaioannou
Modified: 2016-09-13 16:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-13 16:28:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1862 0 normal SHIPPED_LIVE Red Hat Quickstart Installer 1.0 2016-09-13 20:18:48 UTC

Description Tasos Papaioannou 2016-04-28 19:24:19 UTC 
Description of problem:

Detect Undercloud logs the undercloud's SSH password in cleartext to /var/log/foreman/production.log, e.g.,

2016-04-28 15:21:26 [I] Connecting to database specified by database.yml
2016-04-28 15:21:26 [I] Processing by Fusor::Api::Openstack::UndercloudsController#create as JSON
2016-04-28 15:21:26 [I]   Parameters: {"underhost"=>"192.0.2.254", "underuser"=>"root", "underpass"=>"changeme", "deployment_id"=>"2", "undercloud"=>{"underhost"=>"192.0.2.254", "underuser"=>"root", "underpass"=>"changeme", "deployment_id"=>"2"}}
2016-04-28 15:21:27 [I] Completed 200 OK in 698ms (Views: 30.9ms | ActiveRecord: 35.6ms)


Version-Release number of selected component (if applicable):

QCI-1.1-RHEL-7-20160428.t.0

How reproducible:

100%

Steps to Reproduce:
1.) Enter ssh credentials for undercloud on Detect Undercloud tab.
2.) See the password logged in /var/log/foreman/production.log.

Actual results:

Cleartext password logged in production.log

Expected results:

Password not logged in production.log.

Additional info:
Comment 1 Derek Whatley 2016-07-12 20:32:37 UTC 
I'm thinking this can be resolved by changing the key names to include the substring "password" rather than "pass" due to the filtering settings currently in place.

underpass => undercloud_password
underuser => undercloud_user
Comment 2 Derek Whatley 2016-07-14 21:26:27 UTC 
PR at https://github.com/fusor/fusor/pull/1042
Comment 3 Derek Whatley 2016-07-20 13:21:08 UTC 
PR 1042 has been merged.
Comment 5 John Matthews 2016-07-20 22:47:01 UTC 
QCI-1.2-RHEL-7-20160720.t.0-QCI-x86_64-dvd1.iso
Comment 9 Tasos Papaioannou 2016-07-22 18:32:50 UTC 
Verified on QCI-1.2-RHEL-7-20160720.t.0:

----
2016-07-22 10:58:11 [app] [I] Started POST "/fusor/api/openstack/deployments/1/underclouds" for 10.13.57.116 at 2016-07-22 10:58:11 -0400
2016-07-22 10:58:11 [app] [I] Processing by Fusor::Api::Openstack::UndercloudsController#create as JSON
2016-07-22 10:58:11 [app] [I]   Parameters: {"undercloud_host"=>"192.168.101.1", "undercloud_user"=>"root", "undercloud_password"=>"[FILTERED]", "deployment_id"=>"1", "undercloud"=>{"undercloud_host"=>"192.168.1
01.1", "undercloud_user"=>"root", "undercloud_password"=>"[FILTERED]", "deployment_id"=>"1"}}
2016-07-22 10:58:12 [app] [I] Completed 200 OK in 604ms (Views: 9.6ms | ActiveRecord: 35.8ms)
----
Comment 11 errata-xmlrpc 2016-09-13 16:28:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2016:1862
Note You need to log in before you can comment on or make changes to this bug.