Description of problem: PRIVATE KEY should not be logged inside ansible playbooks logs. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Deploy host 2. Check log ovirt-host-deploy-ansible-20180130145841-10.37.137.31-c8783a6a-b17a-4945-8ace-ea69bf0b5564.log | grep -i "private key" "fluentd_elasticsearch_client_key": "-----BEGIN PRIVATE KEY-----\n ...ommitted output... -----END PRIVATE KEY-----" Actual results: private key visible in logs Expected results: no secret info in logs
ovirt-engine-metrics-1.1.2.2-1.el7ev.noarch
Didi, Can you please take a look?
You can add 'no_log' to tasks that handle such stuff. In current case, something like: - name: Read fluentd elasticsearch client key set_fact: fluentd_elasticsearch_client_key: "{{ lookup('file', local_fluentd_elasticsearch_client_key_path) }}" no_log: true when: - fluentd_output_plugin == fluentd_output_plugin_elasticsearch - local_fluentd_elasticsearch_client_key_path_exists.stat.exists But please verify, because this option is module-specific. Also, It's about time we protect log directories. Now filed bug 1540622 and bug 1540627. But we should also solve current - users might share logs for debugging, etc.
BTW, I could not find a reproduction of this bug in jenkins' routine jobs, including OST basic suite, e.g. [1][2]. You might want to patch OST accordingly. [1] http://jenkins.ovirt.org/job/ovirt-master_change-queue-tester/ [2] http://jenkins.ovirt.org/job/ovirt-master_change-queue-tester/5172/artifact/exported-artifacts/basic-suit-master-el7/test_logs/basic-suite-master/post-099_aaa-ldap.py/lago-basic-suite-master-engine/_var_log/ovirt-engine/ansible/standalone-20180131063210-ovirt-metrics-deployment.log
# grep KEY /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log OK [root@1-2-3-8 ovirt-engine-metrics]# grep CERTIFICATE /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1.2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log "fluentd_elasticsearch_ca_cert": "-----BEGIN CERTIFICATE-----\n ...omitted output ... -----END CERTIFICATE-----" "fluentd_elasticsearch_client_cert": "-----BEGIN CERTIFICATE-----\n ... omitted output ... \n-----END CERTIFICATE-----" FailedQA
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
(In reply to Lukas Svaty from comment #5) > # grep KEY > /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1. > 2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log > > OK Good > > [root@1-2-3-8 ovirt-engine-metrics]# grep CERTIFICATE > /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20180320121249-1. > 2.3.31-5f2362ba-9596-4118-aa76-7fd5680e05d7.log > "fluentd_elasticsearch_ca_cert": "-----BEGIN CERTIFICATE-----\n > ...omitted output ... > -----END CERTIFICATE-----" > "fluentd_elasticsearch_client_cert": "-----BEGIN CERTIFICATE-----\n > ... omitted output ... > \n-----END CERTIFICATE-----" > > FailedQA Why? This bug is about private keys, not about certificates. Any reason to hide latter?
I would prefer if the log would be cleansed of private information, that people won't share in Bugzilla in their bug reports in one bug so we wont have in docs in 2 releases that we are removing confidential data in logs. However, if you believe it would be easier for your side to have a 2nd bug I don't mind, creating it. Regarding the CERTIFICATE, I believe it shouldn't be a security issue as its only the certificate of the elasticsearch, but I would still rather have no certificates in logs, than just the 'safe' ones.
after discussion with DEV, moving to VERIFIED based on PRIVATE KEY part which is not shown in logs. leaving the CERTIFICATES available in logs, should not be any security risk without mentioned PRIVATE KEYS
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.