Bug 1752033 - Passwords stored in variables(extra_vars) are visible in clear text in the Appliance evm.log
Summary: Passwords stored in variables(extra_vars) are visible in clear text in the Ap...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.10.6
Hardware: x86_64
OS: Linux
high
high
Target Milestone: GA
: 5.12.0
Assignee: Nick LaMuro
QA Contact: Devidas Gaikwad
Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks: 1758665 1767789
TreeView+ depends on / blocked
 
Reported: 2019-09-13 13:44 UTC by Mihir Lele
Modified: 2023-03-24 15:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1758665 1767789 (view as bug list)
Environment:
Last Closed: 2020-06-10 12:38:29 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
vault password (69.27 KB, image/png)
2019-09-13 18:13 UTC, Lucy Fu 		no flags Details
View All

Description Mihir Lele 2019-09-13 13:44:46 UTC 
Description of problem:

Passwords stored in variables(extra_vars) are visible in clear text in the  evm.log of the appliance.

Version-Release number of selected component (if applicable):   4.7

Additional info:

The customer is adding extra_vars having type as protected with a variable as a key and its password as a value and both the key:value are visible in clear text in evm.log.
Comment 5 Lucy Fu 2019-09-13 18:13:29 UTC 
Created attachment 1614952 [details]
vault password
Comment 6 Lucy Fu 2019-09-13 18:14:43 UTC 
Vault password should be set as vault credential when design the catalog item. 
extra_vars are not the place to put sensitive data.
This seems like a customer usage error.
Comment 12 CFME Bot 2019-09-16 21:40:21 UTC 
https://github.com/ManageIQ/manageiq/pull/19299
Comment 13 CFME Bot 2019-09-16 21:41:28 UTC 
https://github.com/ManageIQ/manageiq-automation_engine/pull/371
Comment 14 CFME Bot 2019-09-17 21:50:47 UTC 
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/31f251cae49b8d8c7467adc41a3aa3f22fcd0089
commit 31f251cae49b8d8c7467adc41a3aa3f22fcd0089
Author:     Lucy Fu <lufu>
AuthorDate: Mon Sep 16 11:40:55 2019 -0400
Commit:     Lucy Fu <lufu>
CommitDate: Mon Sep 16 11:40:55 2019 -0400

    Remove unnecessary log message.

    https://bugzilla.redhat.com/show_bug.cgi?id=1752033

 app/models/miq_event.rb | 1 -
 1 file changed, 1 deletion(-)
Comment 15 Nick LaMuro 2019-09-18 18:52:14 UTC 
Currently, we have a few PRs up for possibility to avoid logging this data in the `MiqQueue.put` and `MiqQueue#deliver` methods:

- https://github.com/ManageIQ/manageiq/pull/19308
- https://github.com/ManageIQ/manageiq-providers-ansible_tower/pull/193


It is a "one or the other" situation currently, so we are determining which is the safest option.  The latter PR is preferred, but that is only if we aren't using that data anywhere else or determine we shouldn't ever expose that data.
Comment 16 CFME Bot 2019-09-18 20:16:36 UTC 
New commit detected on ManageIQ/manageiq-automation_engine/master:

https://github.com/ManageIQ/manageiq-automation_engine/commit/4fa2b61f13eab3019a0b9e6c25e9becc592d77c1
commit 4fa2b61f13eab3019a0b9e6c25e9becc592d77c1
Author:     Lucy Fu <lufu>
AuthorDate: Mon Sep 16 17:23:02 2019 -0400
Commit:     Lucy Fu <lufu>
CommitDate: Mon Sep 16 17:23:02 2019 -0400

    Clean up the password value in logs.

    https://bugzilla.redhat.com/show_bug.cgi?id=1752033

 lib/miq_automation_engine/engine/miq_ae_engine.rb | 4 +-
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 18 Nick LaMuro 2019-09-20 21:00:36 UTC 
We ended up going with https://github.com/ManageIQ/manageiq-providers-ansible_tower/pull/193 and that has just been merged.
Comment 19 Nick LaMuro 2019-09-30 16:24:33 UTC 
An additional fix was required since I flubbed the first one:

https://github.com/ManageIQ/manageiq-providers-ansible_tower/pull/195
Note You need to log in before you can comment on or make changes to this bug.