Bug 1571161 - The word 'engine' is filtered from engine setup log
Summary: The word 'engine' is filtered from engine setup log
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.Engine
Version: 4.2.2.3
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Sandro Bonazzola
QA Contact: meital avital
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-24 08:37 UTC by Mor
Modified: 2018-04-24 12:03 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-04-24 11:40:48 UTC
oVirt Team: Virt
Embargoed:


Attachments (Terms of Use)
ovirt engine setup log (334.42 KB, application/octet-stream)
2018-04-24 08:37 UTC, Mor
no flags Details

Description Mor 2018-04-24 08:37:09 UTC
Created attachment 1425867 [details]
ovirt engine setup log

Description of problem:
Engine setup replaces certain values from ovirt-engine-setup log with '**FILTERED**' string so that sensitive information, such as passwords or usernames won't appear in clear-text. This is very important for security. However, it also filters the word 'engine' from the log, common word, which is used quite often in the log lines, in a non-credential related lines.

Few examples from the log:
2018-04-23 13:44:57,999+0000 DEBUG otopi.context context._executeMethod:128 
Stage init METHOD otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**.db.pgpass.Plugin._init

2018-04-23 13:46:35,594+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_DB/**FILTERED**VacuumFull=bool:'False'

2018-04-23 13:46:32,653+0000 DEBUG otopi.plugins.otopi.services.systemd plugin.executeRaw:813 execute: ('/usr/bin/systemctl', 'enable', u'ovirt-**FILTERED**-dwhd.service'), executable='None', cwd='None', env=None

2018-04-23 13:46:29,406+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.executeRaw:813 execute: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc'), executable='None', cwd='None', env=None
2018-04-23 13:46:29,522+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.executeRaw:863 execute-result: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc'), rc=0
2018-04-23 13:46:29,524+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.execute:921 execute-output: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc') stdout:
ovirt-**FILTERED**-webadmin-portal-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-dwh-4.2.2.2-1.el7ev.noarch
ovirt-**FILTERED**-tools-backup-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-restapi-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-dbscripts-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-dashboard-1.2.3-1.el7ev.noarch
ovirt-**FILTERED**-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-backend-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-tools-4.2.3.2-0.1.el7.noarch
ovirt-**FILTERED**-extension-aaa-jdbc-1.1.7-1.el7ev.noarch

2018-04-23 13:46:35,574+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**DbBackupDir=str:'/var/lib/ovirt-**FILTERED**/backups'
2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**HeapMax=str:'4g'
2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**HeapMin=str:'4g'
2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**ServiceStopNeeded=bool:'True'

'engine' is also a username in the database, for that reason we probably added it to the filtered words list. 

My suggestion is to apply a specific filter only on username related lines in the log, or change the default engine DB username to be uncommon word (if possible), or even remove the word from the filter list.

Version-Release number of selected component (if applicable):
RHV 4.2.3.2-0.1.el7

How reproducible:
100%

Steps to Reproduce:
1. Run engine-setup.

Actual results:
Engine-setup filters the word 'engine' from engine-setup log.

Expected results:
Described above.

Additional info:

Comment 1 Sandro Bonazzola 2018-04-24 11:32:04 UTC
Are you sure you didn't set engine as password?
I can't reproduce this. See http://jenkins.ovirt.org/view/oVirt%20system%20tests/job/ovirt-system-tests_he-basic-ansible-suite-4.2/131/artifact/exported-artifacts/test_logs/he-basic-ansible-suite-4.2/post-004_basic_sanity.py/lago-he-basic-ansible-suite-4-2-engine/_var_log/ovirt-engine/setup/ovirt-engine-setup-20180424033212-yigjyh.log/*view*/ as example log.

If you used engine as password, this is expected behavior. You shouldn't use such weak passwords.

Comment 2 Mor 2018-04-24 11:36:04 UTC
No, we didn't used 'engine' as password for admin.

Comment 3 Sandro Bonazzola 2018-04-24 11:40:48 UTC
ENV OVESETUP_PKI/storePassword=str:'**FILTERED**'

Looks like you set password to engine here.
Closing as not a bug.

Comment 4 Mor 2018-04-24 11:48:57 UTC
For what user did we set the password as 'engine'? I'm logging in into UI using admin with password different than 'engine'.

Comment 5 Sandro Bonazzola 2018-04-24 12:03:27 UTC
(In reply to Mor from comment #4)
> For what user did we set the password as 'engine'? I'm logging in into UI
> using admin with password different than 'engine'.

It's the password for the Certificate Authority / PKCS12 / PKI.


Note You need to log in before you can comment on or make changes to this bug.