RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1951342 - [RFE] pmdamssql could share credentials with the Assessment API
Summary: [RFE] pmdamssql could share credentials with the Assessment API
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pcp
Version: CentOS Stream
Hardware: All
OS: Linux
low
low
Target Milestone: beta
: 8.6
Assignee: Nathan Scott
QA Contact: Jan Kurik
Apurva Bhide
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-20 00:30 UTC by Nathan Scott
Modified: 2022-05-10 13:49 UTC (History)
5 users (show)

Fixed In Version: pcp-5.3.5-1.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-10 13:30:36 UTC
Type: Enhancement
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1765 0 None None None 2022-05-10 13:30:51 UTC

Description Nathan Scott 2021-04-20 00:30:10 UTC 
The SQL Server metrics in PCP require authentication to access the database to extract metrics.  To set ourselves up for success in more situations, we could make use of the username/password available from the filesystem setup for the SQL Server Assessment API as (planned to be) used by Insights.

Some notes from SQL Server google chat room follow.


Louis Imershein> @Nathan Scott one improvement to PCP might be to teach it to use the same password file as the assessment API
We're still finalizing the file name but a user name and password will be in /var/opt/mssql/secrets/ - accessing it will require either root or the mssql user account for security purposes.  Permissions on the file will be 0600.

Nathan Scott> @Louis Imershein definitely - what will the file names and file formats be in that secrets directory?

Louis Imershein> assuming it's like the ha file, it will just be a username separated from a password by a newline
as soon as i know the file name i will share it with you

Nathan Scott> too easy - I'll open an RFE BZ to get PCP updated

Louis Imershein> Let's make sure Insights team as well as @Brian Smith and @Karl Abbott are aware of our plan, but I think this makes the most sense.
I want something more secure, like principals that automatically authenticate to AD at startup via protected credentials but we need a solution for that for several areas with SQL Server.  At least this in no way adds to the problems in that dept, in fact it's arguably better than some of the other options.
Comment 2 Nathan Scott 2021-07-13 04:51:28 UTC 
Louis, any updates on this one?  We're planning next couple of RHEL releases worth of work, it'd be helpful to know if things have progressed here (esp. re: 'as soon as i know the file name i will share it with you' etc - the nitty gritty details that'll let us share configuration here).

Thanks!
Comment 3 Nathan Scott 2021-10-20 23:16:27 UTC 
There doesn't seem to have been any progress on the Assessments API credentials, and the quest for further clarity on the situation hasn't been fruitful.  Closing for now, and happy re-open this BZ if/when that situation changes.
Comment 4 Nathan Scott 2021-10-25 22:07:35 UTC 
Louis has sent me details now - it's described in this draft blog post:
https://docs.google.com/document/d/1u71-zEylq-V13DfTNXedrUj4ndNtyAjrpfgfJVIIh4g
and this is supported from RHEL 8.5.

I'll work on the PCP support for this now targetting 8.6.
Comment 6 Nathan Scott 2021-10-25 23:59:53 UTC 
This is working  now and will shortly be merged in upstream PCP:

commit 2f89d86567a7a35582a93a61774a51a676f5ae89
Author: Nathan Scott <nathans>
Date:   Tue Oct 26 10:39:23 2021 +1100

    pmdamssql: share username/password with the Assessments API
    
    For admin simplicity, if a SQL Server Assessments API install
    is detected we now use the username/password combo setup for
    this service so that no PCP mssql configuration is required.
    
    Resolves Red Hat BZ #1951342
Comment 13 errata-xmlrpc 2022-05-10 13:30:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcp bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1765
Note You need to log in before you can comment on or make changes to this bug.