Bug 1384417 - [TEXT] engine-setup suggests creating remote db users with passwords being the username
Summary: [TEXT] engine-setup suggests creating remote db users with passwords being th...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.Engine
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: ovirt-4.1.0-alpha
: 4.1.0
Assignee: Yedidyah Bar David
QA Contact: Lucie Leistnerova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-13 09:17 UTC by Lucie Leistnerova
Modified: 2017-05-11 09:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-01 14:38:09 UTC
oVirt Team: Integration
rule-engine: ovirt-4.1+
rule-engine: planning_ack+
sbonazzo: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 65699 0 master MERGED packaging: setup: Do not suggest to use password 'engine' 2016-10-25 12:55:16 UTC

Description Lucie Leistnerova 2016-10-13 09:17:44 UTC 
Description of problem:
When user uses weak password like 'dump', 'Environment', 'engine' for database role or engine admin, in setup log all occurrence (even if it's not a password) are substituted with **FILTERED**.
The password then can be guessed.

based on https://bugzilla.redhat.com/show_bug.cgi?id=1105507#c2

I run into this problem when I wanted to install engine on remote DB server and the engine-setup says

ATTENTION
         
          Manual action required.
          Please create database for ovirt-engine use. Use the following commands as an example:
         
          create role engine with login encrypted password 'engine';

so I copied the statement and run it in psql. Then I had in log something like this:
2016-10-13 09:38:17 DEBUG otopi.context context._executeMethod:128 Stage setup METHOD otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**_dwh.core.misc.Plugin._setup
2016-10-13 09:38:17 DEBUG otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**_dwh.core.misc misc._setup:65 dwh version: ovirt-**FILTERED**-dwh-4.0.2 (4.0.2)
2016-10-13 09:38:17 DEBUG otopi.context context.dumpEnvironment:760 ENVIRONMENT DUMP - BEGIN
2016-10-13 09:38:17 DEBUG otopi.context context.dumpEnvironment:770 ENV OVESETUP_CORE/setupAttributesModules=list:'[<module 'ovirt_**FILTERED**_setup.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/constants.pyc'>, <module 'ovirt_**FILTERED**_setup.**FILTERED**.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/**FILTERED**/constants.pyc'>, <module 'ovirt_**FILTERED**_setup.**FILTERED**_common.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/**FILTERED**_common/constants.pyc'>, <module 'ovirt_**FILTERED**_setup.dwh.constants' from '/usr/share/ovirt-**FILTERED**/setup/ovirt_**FILTERED**_setup/dwh/constants.pyc'>]'


Closing this as WONTFIX because the logs can see only root is not a solution. Why then are the passwords filtered at all?

Version-Release number of selected component (if applicable):
otopi-1.5.2-1.el7ev.noarch

Actual results: all occurrence of the string is substituted

Expected results: engine-setup doesn't allow passwords that can match some words
Comment 1 Yedidyah Bar David 2016-10-13 10:36:57 UTC 
(In reply to Lucie Leistnerova from comment #0)
> Actual results: all occurrence of the string is substituted
> 
> Expected results: engine-setup doesn't allow passwords that can match some
> words

1. These two are not contradicting. You can, if you wish, require both "Only occurrences of passwords as such should be substituted" and your current expected results. Already discussed in the linked bug 1105507.

2. engine-setup currently already emits:
[WARNING] Password is weak: {reason}

Did you get such a warning? If not, that might be a bug.

3. If you did, do you really claim we should forbid such passwords, instead of just warn against them? If so, then I personally disagree - I think we should not police our users, the warning should really be enough.

4. If you are disturbed by this for your own use, and/or want a simple recommendation you can give others, then I suggest this: for real production use, use a real password. For testing/etc., where security is not important, still use something unlikely to appear in the logs. E.g. instead of 'engine', use 'engine123' (and don't use this for other things, such as your hostname :-)).

Bottom line: I suggest to close wontfix. If you disagree, please get PM agreement. Thanks!
Comment 2 Sandro Bonazzola 2016-10-20 06:56:16 UTC 
Closing wontfix according to comment #1 and email discussion.
Comment 3 Lucie Leistnerova 2016-10-25 09:00:31 UTC 
Warning for weak password is shown by engine-setup for the admin password, so that's OK. If you enter credentials for remote databases there is no such warning.
Comment 4 Sandro Bonazzola 2016-10-25 12:58:15 UTC 
(In reply to Lucie Leistnerova from comment #3)
> Warning for weak password is shown by engine-setup for the admin password,
> so that's OK. If you enter credentials for remote databases there is no such
> warning.

Dropping the suggestion to use engine as password in this case
Comment 5 Yedidyah Bar David 2016-10-25 13:01:36 UTC 
(In reply to Sandro Bonazzola from comment #4)
> (In reply to Lucie Leistnerova from comment #3)
> > Warning for weak password is shown by engine-setup for the admin password,
> > so that's OK. If you enter credentials for remote databases there is no such
> > warning.
> 
> Dropping the suggestion to use engine as password in this case

Changing summary line accordingly.
Comment 6 Lucie Leistnerova 2016-12-05 12:41:53 UTC 
text in engine-setup for remote DB is OK

verified in ovirt-engine-4.1.0-0.2.master.20161204231323.gite9669ad.el7.centos.noarch
Note You need to log in before you can comment on or make changes to this bug.