Red Hat Bugzilla – Bug 536105
group definitions can be used to show password fields from plugin/resource config
Last modified: 2015-02-01 18:25:36 EST
I created a group definition:
resource.type.plugin = JBossAS
resource.type.category = Server
and it created a group called:
DynaGroup - groupname ( admin )
where admin is the jmx password used to connect to the JBAS instances. I don't think this credential information is retrievable in plain text from anywhere else in the UI.
well, i think you can get it as the admin user from any of the various pages available in the /admin/* web context if you're logged in as an admin
there are two options here:
1) make the group definition creation / dynagroup manip only available to inventory managers, which would granted still allow them to do stupid things...though i question what the value of creating this type of group definition would be ; )
2) make this illegal by preventing expression that contain properties whose type is password
i'm guessing people are going to vote for option 2, but if so then are we going to somehow lock down the /admin/* pages in the same manner?
I think /admin is sufficiently locked down, only "JON admin" users have access which should exclude the vast majority of users. We should investigate encrypting password properties in the DB.
rev2260 - suppress private property results in dynagroup calculations;
Verified that no groups are created when using the described definition. rev2561, windows/oracle
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-491
*** Bug 476080 has been marked as a duplicate of this bug. ***