1571117 – HE-VM appliance and admin password saved in the setup log file as clear text executing from cockpit

Bug 1571117 - HE-VM appliance and admin password saved in the setup log file as clear text executing from cockpit

Summary: HE-VM appliance and admin password saved in the setup log file as clear text ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	cockpit-ovirt
Classification:	oVirt
Component:	Hosted Engine
Sub Component:
Version:	0.11.20
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	ovirt-4.2.3
Target Release:	---
Assignee:	Phillip Bailey
QA Contact:	Yihui Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-24 06:56 UTC by Yihui Zhao
Modified:	2018-05-10 06:29 UTC (History)
CC List:	14 users (show)
Fixed In Version:	cockpit-ovirt-0.11.24-1
Clone Of:
Environment:
Last Closed:	2018-05-10 06:29:25 UTC
oVirt Team:	Integration
Embargoed:
Flags:	rule-engine: ovirt-4.2+ rule-engine: blocker+ cshao: testing_ack+

Attachments	(Terms of Use)
bootstrap_local_vm_log (9.91 MB, text/plain) 2018-04-24 08:32 UTC, Yihui Zhao	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1540225	unspecified	CLOSED	2_ovirt_logger.py can't filter vars passed on the command line	2022-02-25 11:25:14 UTC
Red Hat Bugzilla	1540850	unspecified	CLOSED	ansible flow needs better logging	2021-02-22 00:41:40 UTC
oVirt gerrit	90710	master	MERGED	wizard: Pass filtered var tokens and regex's to playbooks	2018-04-30 07:29:11 UTC
oVirt gerrit	90770	ovirt-4.2	MERGED	wizard: Pass filtered var tokens and regex's to playbooks	2018-04-30 13:59:12 UTC

Internal Links: 1540225 1540850

Description Yihui Zhao 2018-04-24 06:56:02 UTC

Description of problem:
HE-VM appliance and admin  password saved in the setup log file as clear text.
"""

2018-04-23 17:24:51,796+0800 DEBUG var changed: host "localhost" var "hostvars" type "<class 'ansible.vars.hostvars.HostVars'>" value: "{u'localhost': {u'VM_IP_PREFIX': None, u'BRIDGE': u'ovirtmgmt', 'ansible_playbook_python': '/usr/bin/python2', u'NIC_UUID': None, u'BRIDGE_IF': u'eno1', u'HOST_IP': u'10.73.73.105', u'TIME_ZONE': u'Asia/Harbin', u'VCPUS': 4, u'CLOUD_INIT_DOMAIN_NAME': u'lab.eng.pek2.redhat.com', u'LOCAL_VM_DIR_PATH': u'/var/tmp', 'ansible_forks': 5, 'ansible_facts': {}, u'CPU_SOCKETS': 1, u'LOCAL_VM_DIR_PREFIX': u'localvm', 'inventory_hostname': u'localhost', 'ansible_skip_tags': [], u'EMULATED_MACHINE': None, 'playbook_dir': u'/usr/share/ovirt-hosted-engine-setup/ansible', u'FQDN': u'rhevh-hostedengine-vm-04.lab.eng.pek2.redhat.com', u'VM_IP_ADDR': None, u'HOST_NAME': u'hp-dl388g9-04.lab.eng.pek2.redhat.com', 'group_names': ['ungrouped'], u'CDROM': None, u'ROOT_SSH_ACCESS': u'yes', u'CONSOLE_TYPE': u'vnc', 'ansible_version': {'major': 2, 'full': '2.5.0', 'string': '2.5.0', 'minor': 5, 'revision': 0}, u'VM_MAC_ADDR': u'52:54:00:5e:8e:c7', 'inventory_file': u'localhost,', u'MEM_SIZE': 16348, u'GRAPHICS_DEVICE': u'vnc', u'APPLIANCE_OVA': None, u'APPLIANCE_PASSWORD': u'redhat', u'CONSOLE_UUID': None, u'VM_UUID': u'ed4d039c-eeb1-49be-a083-c59ab319a6ab', u'CPU_TYPE': u'model_Broadwell', 'groups': {'ungrouped': [u'localhost'], 'all': [u'localhost']}, u'ROOT_SSH_PUBKEY': None, u'VM_ETC_HOSTS': True, u'CLOUD_INIT_HOST_NAME': u'rhevh-hostedengine-vm-04', 'ansible_inventory_sources': [u'localhost,'], u'VIDEO_DEVICE': u'vga', 'inventory_hostname_short': u'localhost', 'inventory_dir': u'None', 'omit': '__omit_place_holder__a539486862c26f25f6ed53b2debbe3033bbb6240', 'ansible_diff_mode': False, u'CDROM_UUID': None, u'ENABLE_LIBGFAPI': None, 'ansible_check_mode': False, u'MAXVCPUS': 16, 'ansible_run_tags': [u'all'], u'HOST_ADDRESS': u'hp-dl388g9-04.lab.eng.pek2.redhat.com', u'VM_NAME': u'HostedEngine', u'ADMIN_PASSWORD': u'password'}}"

"""

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.2.2.1-0.20180420.0
cockpit-160-3.el7.x86_64
cockpit-bridge-160-3.el7.x86_64
cockpit-ws-160-3.el7.x86_64
cockpit-storaged-160-3.el7.noarch
cockpit-ovirt-dashboard-0.11.22-1.el7ev.noarch
cockpit-dashboard-160-3.el7.x86_64
cockpit-system-160-3.el7.noarch
ovirt-hosted-engine-setup-2.2.18-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.10-1.el7ev.noarch
rhvm-appliance-4.2-20180420.0.el7.noarch


How reproducible:
100%


Steps to Reproduce:
1. Clean install redhat-virtualization-host-4.2.2.1-0.20180420.0 with ks
2. Deploy HE via cockpit
3. Check the  setup log file

Actual results:
After step3, HE-VM appliance and admin  password saved in the setup log file as clear text.

Expected results:
After step3, HE-VM appliance and admin  password didn't save in the setup log file as clear text.


Additional info:

Comment 1 Ido Rosenzwig 2018-04-24 08:18:51 UTC

please attach the full log

Comment 2 Yihui Zhao 2018-04-24 08:32:46 UTC

Created attachment 1425866 [details]
bootstrap_local_vm_log

Comment 3 Yihui Zhao 2018-04-24 08:34:24 UTC

(In reply to Ido Rosenzwig from comment #1)
> please attach the full log

https://bugzilla.redhat.com/attachment.cgi?id=1425866

Comment 4 Yaniv Kaul 2018-04-25 07:16:59 UTC

How is this not a blocker?

Comment 5 Yihui Zhao 2018-04-25 09:21:54 UTC

(In reply to Yaniv Kaul from comment #4)
> How is this not a blocker?

I think it don't affect the use.

Comment 8 Simone Tiraboschi 2018-04-26 07:37:25 UTC

It's cockpit wizard specific now, 
we have to do something like this:
https://github.com/oVirt/ovirt-hosted-engine-setup/blob/master/src/ovirt_hosted_engine_setup/ansible_utils.py#L42

also on cockpit side.

Currently we cannot do much better just on playbook side as for https://bugzilla.redhat.com/show_bug.cgi?id=1540225

Comment 9 Yihui Zhao 2018-05-07 02:08:09 UTC

Tested with cockpit-ovirt-0.11.24-1 on RHEL-7.5-20180322, It works as expected.


From the log:

"""
2018-05-04 11:51:35,234+0800 DEBUG var changed: host "localhost" var "hostvars" type "<class 'ansible.vars.hostvars.HostVars'>" value: "{u'localhost': {u'VM_IP_PREFIX': None, u'BRIDGE': u'ovirtmgmt', 'ansible_playbook_python': '/usr/bin/python2', u'NIC_UUID': None, u'BRIDGE_IF': u'eno1', u'HOST_IP': u'10.73.73.19', u'TIME_ZONE': u'Asia/Shanghai', u'VCPUS': 4, u'CLOUD_INIT_DOMAIN_NAME': u'lab.eng.pek2.**FILTERED**.com', u'he_filtered_tokens_re': [u'BEGIN PRIVATE KEY**FILTERED**END PRIVATE KEY'], u'LOCAL_VM_DIR_PATH': u'/var/tmp', 'ansible_forks': 5, 'ansible_facts': {}, u'CPU_SOCKETS': 1, u'LOCAL_VM_DIR_PREFIX': u'localvm', 'inventory_hostname': u'localhost', 'ansible_skip_tags': [], u'EMULATED_MACHINE': None, 'playbook_dir': u'/usr/share/ovirt-hosted-engine-setup/ansible', u'FQDN': u'rhevh-hostedengine-vm-04.lab.eng.pek2.**FILTERED**.com', u'VM_IP_ADDR': None, u'HOST_NAME': u'dell-per515-02.lab.eng.pek2.**FILTERED**.com', 'group_names': ['ungrouped'], u'CDROM': None, u'ROOT_SSH_ACCESS': u'yes', u'CONSOLE_TYPE': u'vnc', 'ansible_version': {'major': 2, 'full': '2.5.2', 'string': '2.5.2', 'minor': 5, 'revision': 2}, u'VM_MAC_ADDR': u'52:54:00:5e:8e:c7', 'inventory_file': u'localhost,', u'MEM_SIZE': 16348, u'GRAPHICS_DEVICE': u'vnc', u'he_filtered_tokens_vars': [u'ADMIN_PASSWORD', u'APPLIANCE_PASSWORD', u'ISCSI_PASSWORD', u'ISCSI_DISCOVER_PASSWORD', u'ROOTPWD'], u'APPLIANCE_OVA': None, u'APPLIANCE_PASSWORD': u'**FILTERED**', u'CONSOLE_UUID': None, u'VM_UUID': u'62b13066-0b11-422f-aba2-dfb5b87108b4', u'CPU_TYPE': u'model_Opteron_G5', 'groups': {'ungrouped': [u'localhost'], 'all': [u'localhost']}, u'ROOT_SSH_PUBKEY': None, u'VM_ETC_HOSTS': True, u'CLOUD_INIT_HOST_NAME': u'rhevh-hostedengine-vm-04', 'ansible_inventory_sources': [u'localhost,'], u'ENABLE_HC_GLUSTER_SERVICE': False, u'VIDEO_DEVICE': u'vga', 'inventory_hostname_short': u'localhost', 'inventory_dir': u'None', 'omit': '__omit_place_holder__95fcc81a0c914dd9d69b4d1b6fc3d7ff2f7983ca', 'ansible_diff_mode': False, u'CDROM_UUID': None, u'ENABLE_LIBGFAPI': None, 'ansible_check_mode': False, u'MAXVCPUS': 16, 'ansible_run_tags': [u'all'], u'HOST_ADDRESS': u'dell-per515-02.lab.eng.pek2.**FILTERED**.com', u'VM_NAME': u'HostedEngine', u'ADMIN_PASSWORD': u'**FILTERED**'}}"
"""

The appliance and admin password is set as  "**FILTERED**".

So, moving to verified.

Comment 10 Sandro Bonazzola 2018-05-10 06:29:25 UTC

This bugzilla is included in oVirt 4.2.3 release, published on May 4th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.