Metrics Store installation and configuration uses passwords for Subscription Manager, RHVM, Metrics Store VM root user, container registry, Kibana, and OpenShift console. Tasks that use passwords should have `no_log: true` set to ensure that running a playbook in verbose mode does not expose passwords. In the latest patch set, `no_log: true` seems to be used only in ovirt-engine-metrics/roles/oVirt.read-local-pki-files/tasks/main.yml.
I found several issues when inspecting the code: All the passwords are in plain text in these files: /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/vars.yaml /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/metrics_store_post_installation.yaml /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/files/vars.yaml /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/files/metrics_store_post_installation.yaml Tested in: ovirt-engine-metrics-1.2.1.3-1.el7ev.noarch
Installation failed on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1697521 Tested in: ovirt-engine-metrics-1.3.0.1-1.el7ev.noarch ovirt-engine-4.3.3.1-0.1.el7.noarch
There is still missing `no_log: true` in the metrics_post_installation.yml for the task [Assign the password immediately without login]. Running the install_okd.yml playbook with -vvv makes the password visible in plaintext in the log of the task. Tested in: ovirt-engine-4.2.8.5-0.1.el7ev.noarch ovirt-engine-metrics-1.2.2.2-1.el7ev.noarch Also tested in: ovirt-engine-4.3.3.1-0.1.el7.noarch ovirt-engine-metrics-1.3.0.1-1.el7ev.noarch
Cannot verify due to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1715513
A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 26-Feb-2020. Refer to this bug's Description for information about how to resolve this bug.
Steps: 1) Install metrics store according to the documentation 2) Run all the installation scripts in verbose mode and save the logs 3) Check that none of the logs or files generated by the installation contain any of the passwords used in the secure-vars.yaml file Results: No passwords in plaintext generated by installation Verified in: ovirt-engine-4.3.5.4-0.1.el7.noarch ansible-2.8.3-1.el7ae.noarch ovirt-engine-metrics-1.3.3.3-1.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2499