Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1513620

Summary: Evm.log contains passwords
Product: [oVirt] ovirt-engine-sdk-ruby Reporter: Juan Hernández <juan.hernandez>
Component: CoreAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hrazdil <rhrazdil>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.1.12CC: bugs, hhovsepy, jhardy, jprause, jrafanie, kseifried, lveyde, obarenbo
Target Milestone: ovirt-4.1.8Flags: rule-engine: ovirt-4.1+
Target Release: 4.1.13   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.1.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1512977 Environment:
Last Closed: 2017-12-11 16:31:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: RHEVM Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1512977    

Description Juan Hernández 2017-11-15 17:05:36 UTC 
+++ This bug was initially created as a clone of Bug #1512977 +++

Description of problem:
Added RHEVM Infrastructure provider, there is some error in fetching data from it.
Checking evm.log file, I can see my RHEVM provider's password logged as open text.


Version-Release number of selected component (if applicable):
5.9.0.8.20171109215303_ed87902

How reproducible:
When there is some ERROR in fetching data from RHEVM provider.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-11-14 09:32:45 EST ---

Since this issue was entered in bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Hayk Hovsepyan on 2017-11-14 12:09:01 EST ---

Error is logged when RHEVM connection has timeouts:

[----] E, [2017-11-14T04:29:44.020407 #6232:119313c] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::FuturesCollector#wait_on_all_futures_ignoring_results) failed waiting on #<ManageIQ::Providers::Redhat::InfraManager::FuturesCollector::KeyedValue:0x0000000bf5dbf0 @key="vm_985c787c-1cc5-4e7b-9cb4-390243021336_disk_attachments", @value=#<OvirtSDK4::Future:0x0000000bf5dd58 @service=#<OvirtSDK4::DiskAttachmentsService:0x0000000bf5f658 @parent=#<OvirtSDK4::VmService:0x0000000bf5f7c0 @parent=#<OvirtSDK4::VmsService:0x00000003b1e4e8 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 @parent=#<OvirtSDK4::Connection:0x0000000baaa220 @url="MY_URL", @username="MY_USERNAME", @password="MY_PASSWORD", @token="jdkdS4QnGIQ6IDOLqQHJNHuPJqbNXQ57YMc7DZMMXvCpolYN6yptI-sU59apiwsSC_8iMkmj9VmIo-Reu32Tdg", @insecure=true, @ca_file=nil, @ca_certs=nil, @debug=false, @log=#<Vmdb::Loggers::MulticastLogger:0x000000029579a8 @loggers=#<Set: {#<VMDBLogger:0x00000002957c50 @progname=nil, @level=1, @default_formatter=#<Logger::Formatter:0x00000002957bd8 @datetime_format=nil>, @formatter=#<VMDBLogger::Formatter:0x00000002957a98 @datetime_format=nil>, @logdev=#<Logger::LogDevice:0x00000002957b60 @shift_size=1048576, @shift_age=0, @filename=#<Pathname:/var/www/miq/vmdb/log/rhevm.log>, @dev=#<File:/var/www/miq/vmdb/log/rhevm.log>, @mon_owner=nil, @mon_count=0, @mon_mutex=#<Thread::Mutex:0x00000002957b38>>, @write_lock=#<Thread::Mutex:0x00000002957a70>, @local_levels={}, @thread_hash_level_key=:"ThreadSafeLogger#21675560@level">}>, @level=1, @thread_hash_level_key=:"ThreadSafeLogger#21675220@level">, @kerberos=false, @timeout=3600, @compress=true, @proxy_url=nil, @proxy_username=nil, @proxy_password=nil, @headers=nil, @connections=0, @pipeline=0, @ca_store=nil, @mutex=#<Thread::Mutex:0x0000000baaa158>, @client=#<OvirtSDK4::HttpClient:0x0000000baa9f28>, @system_service=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>>, @path="", @clusters_service=#<OvirtSDK4::ClustersService:0x00000003b10f50 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="clusters">, @storage_domains_service=#<OvirtSDK4::StorageDomainsService:0x00000003b15118 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="storagedomains">, @hosts_service=#<OvirtSDK4::HostsService:0x00000003b19b00 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="hosts">, @vms_service=#<OvirtSDK4::VmsService:0x00000003b1e4e8 ...>, @templates_service=#<OvirtSDK4::TemplatesService:0x00000003b20d60 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="templates">, @networks_service=#<OvirtSDK4::NetworksService:0x00000003b2bd00 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="networks">, @data_centers_service=#<OvirtSDK4::DataCentersService:0x00000003b28ee8 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="datacenters">, @disks_service=#<OvirtSDK4::DisksService:0x00000003b31908 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="disks">>, @path="vms">, @path="985c787c-1cc5-4e7b-9cb4-390243021336", @disk_attachments_service=#<OvirtSDK4::DiskAttachmentsService:0x0000000bf5f658 ...>>, @path="diskattachments">, @request=#<OvirtSDK4::HttpRequest:0x0000000bf5f4c8>, @block=#<Proc:0x0000000bf5dc90@/opt/rh/rh-ruby23/root/usr/share/gems/gems/ovirt-engine-sdk-4.1.9/lib/ovirtsdk4/service.rb:149>>>, due to: Can't send request: SSL connect error

--- Additional comment from Juan Hernández on 2017-11-15 12:00:51 EST ---

This problem could be solved avoiding the use of the `inspect` method when writing log messages. But as that seems to be a common practice, we will instead modify the SDK so that the `inspect` and `to_s` methods do not include sensible information like the user name and password in the string that they return.
Comment 1 Juan Hernández 2017-11-28 17:16:35 UTC 
To verify create an script that creates a connection, and print it:

---8<---
require 'logger'
require 'ovirtsdk4'

# Create the connection to the server:
connection = OvirtSDK4::Connection.new(
  url: 'https://engine42.local/ovirt-engine/api',
  username: 'admin@internal',
  password: 'redhat123',
  insecure: true,
  debug: true,
  log: Logger.new('test.log')
)

# Print the connection:
puts("connection.to_s: #{connection.to_s}")
puts("connection.inspect: #{connection.inspect}")

# Print a service:
service = connection.system_service.vms_service
puts("service.to_s: #{service.to_s}")
puts("service.inspect: #{service.inspect}")

# Close the connection to the server:
connection.close
--->8---

The result should *not* contain the password, should be the following:

  connection.to_s: #<OvirtSDK4::Connection:https://engine42.local/ovirt-engine/api>
  connection.inspect: #<OvirtSDK4::Connection:https://engine42.local/ovirt-engine/api>
  service.to_s: #<OvirtSDK4::VmsService:vms>
  service.inspect: #<OvirtSDK4::VmsService:vms>
Comment 2 Radim Hrazdil 2017-11-28 21:23:12 UTC 
Verified that script suggested by Juan doesn't print out RHEVM credential. Used sdk version 4.2.0.beta2, RHVM 4.1.8.1-0.1.el7.