Hide Forgot
Created attachment 1425867 [details] ovirt engine setup log Description of problem: Engine setup replaces certain values from ovirt-engine-setup log with '**FILTERED**' string so that sensitive information, such as passwords or usernames won't appear in clear-text. This is very important for security. However, it also filters the word 'engine' from the log, common word, which is used quite often in the log lines, in a non-credential related lines. Few examples from the log: 2018-04-23 13:44:57,999+0000 DEBUG otopi.context context._executeMethod:128 Stage init METHOD otopi.plugins.ovirt_**FILTERED**_common.ovirt_**FILTERED**.db.pgpass.Plugin._init 2018-04-23 13:46:35,594+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_DB/**FILTERED**VacuumFull=bool:'False' 2018-04-23 13:46:32,653+0000 DEBUG otopi.plugins.otopi.services.systemd plugin.executeRaw:813 execute: ('/usr/bin/systemctl', 'enable', u'ovirt-**FILTERED**-dwhd.service'), executable='None', cwd='None', env=None 2018-04-23 13:46:29,406+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.executeRaw:813 execute: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc'), executable='None', cwd='None', env=None 2018-04-23 13:46:29,522+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.executeRaw:863 execute-result: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc'), rc=0 2018-04-23 13:46:29,524+0000 DEBUG otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**_common.distro-rpm.packages plugin.execute:921 execute-output: ('/usr/bin/rpm', '-q', 'ovirt-**FILTERED**-webadmin-portal', 'rhvm-branding-rhv', 'ovirt-**FILTERED**-dwh', 'ovirt-**FILTERED**-tools-backup', 'ovirt-**FILTERED**-restapi', 'ovirt-**FILTERED**-dbscripts', 'ovirt-**FILTERED**-dashboard', 'rhvm', 'ovirt-**FILTERED**', 'ovirt-**FILTERED**-backend', 'ovirt-**FILTERED**-tools', 'ovirt-**FILTERED**-extension-aaa-jdbc') stdout: ovirt-**FILTERED**-webadmin-portal-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-dwh-4.2.2.2-1.el7ev.noarch ovirt-**FILTERED**-tools-backup-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-restapi-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-dbscripts-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-dashboard-1.2.3-1.el7ev.noarch ovirt-**FILTERED**-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-backend-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-tools-4.2.3.2-0.1.el7.noarch ovirt-**FILTERED**-extension-aaa-jdbc-1.1.7-1.el7ev.noarch 2018-04-23 13:46:35,574+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**DbBackupDir=str:'/var/lib/ovirt-**FILTERED**/backups' 2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**HeapMax=str:'4g' 2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**HeapMin=str:'4g' 2018-04-23 13:46:35,575+0000 DEBUG otopi.context context.dumpEnvironment:869 ENV OVESETUP_CONFIG/**FILTERED**ServiceStopNeeded=bool:'True' 'engine' is also a username in the database, for that reason we probably added it to the filtered words list. My suggestion is to apply a specific filter only on username related lines in the log, or change the default engine DB username to be uncommon word (if possible), or even remove the word from the filter list. Version-Release number of selected component (if applicable): RHV 4.2.3.2-0.1.el7 How reproducible: 100% Steps to Reproduce: 1. Run engine-setup. Actual results: Engine-setup filters the word 'engine' from engine-setup log. Expected results: Described above. Additional info:
Are you sure you didn't set engine as password? I can't reproduce this. See http://jenkins.ovirt.org/view/oVirt%20system%20tests/job/ovirt-system-tests_he-basic-ansible-suite-4.2/131/artifact/exported-artifacts/test_logs/he-basic-ansible-suite-4.2/post-004_basic_sanity.py/lago-he-basic-ansible-suite-4-2-engine/_var_log/ovirt-engine/setup/ovirt-engine-setup-20180424033212-yigjyh.log/*view*/ as example log. If you used engine as password, this is expected behavior. You shouldn't use such weak passwords.
No, we didn't used 'engine' as password for admin.
ENV OVESETUP_PKI/storePassword=str:'**FILTERED**' Looks like you set password to engine here. Closing as not a bug.
For what user did we set the password as 'engine'? I'm logging in into UI using admin with password different than 'engine'.
(In reply to Mor from comment #4) > For what user did we set the password as 'engine'? I'm logging in into UI > using admin with password different than 'engine'. It's the password for the Certificate Authority / PKCS12 / PKI.