1402541 – Engine password obfuscation is too intrusive

Bug 1402541 - Engine password obfuscation is too intrusive

Summary: Engine password obfuscation is too intrusive

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Infra
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified vote
Target Milestone:	---
Target Release:	---
Assignee:	Ondra Machacek
QA Contact:	Pavel Stehlik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-07 18:51 UTC by jniederm
Modified:	2016-12-13 09:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-13 09:27:43 UTC
oVirt Team:	Infra
Dependent Products:

Attachments	(Terms of Use)
configure-engine.yml (374 bytes, text/plain) 2016-12-07 18:51 UTC, jniederm	no flags	Details
ansible-output (7.42 KB, text/plain) 2016-12-07 18:53 UTC, jniederm	no flags	Details
playbook-workaround.yml (357 bytes, text/plain) 2016-12-07 18:59 UTC, jniederm	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description jniederm 2016-12-07 18:51:42 UTC

Created attachment 1229204 [details]
configure-engine.yml

Description of problem:
Engine (or sdk) obfuscates (replaces with series of '*') any password occurrence in response to ansible `ovirt_auth` plugin request in fields `token` and `url` (maybe even in other fields). That leads to broken authentication for following `ovirt_*` ansible plugin calls with misleading error messages.

Version-Release number of selected component (if applicable):
ovirt-engine: 4.1 master, dev build, commit 620c403
ansible: 2.2.0.0
os: fedora 24

How reproducible:
100%

Steps to Reproduce:
1. Create a engine setup with password contained in hostname
   E.g. password: 'a', hostname: 'localhost'; 'localhost' contains 'a'
2. Automate some engine task using `ovirt_auth` and some other `ovirt_*` ansible plugin.

Actual results:
`ansible-playbook` fails with error 'Could not resolve host: loc********lhost'

Expected results:
Ansible playbook works ok.

Additional info:
Attachment contains used ansible playbook and full console output. The configuration was password: 'a' and hostname: 'happybox'. Please notice '*' chars in output of

  - debug:
      var: ovirt_auth

ok: [localhost] => {
    "ovirt_auth": {
        "ca_file": null, 
        "compress": true, 
        "insecure": true, 
        "kerberos": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
        "timeout": 0, 
        "token": "1gV5JQcKFtKTLMk6zz********OR9J-j1m********XENw7XOsk0irGTk5idWWGoRU3P77-M8CikhHcI********MBwCPyVF2uGiblf1PhQ", 
        "url": "https://h********ppybox:8443/ovirt-engine/********pi"
    }
}

Comment 1 jniederm 2016-12-07 18:53:26 UTC

Created attachment 1229205 [details]
ansible-output

Comment 2 jniederm 2016-12-07 18:59:02 UTC

Created attachment 1229207 [details]
playbook-workaround.yml

A workaround can be to use direct authentication for each `ovirt_*` plugin call.

Comment 3 Ondra Machacek 2016-12-13 09:27:43 UTC

This is bug in Ansible, not oVirt. I will handle it.

Comment 4 Ondra Machacek 2016-12-13 09:48:53 UTC

Issue for Ansible opened here: 

 https://github.com/ansible/ansible/issues/19278

Note You need to log in before you can comment on or make changes to this bug.