Red Hat Bugzilla – Bug 824526
aeolus-configure will always create an admin user, need to key of a uuid not name
Last modified: 2012-07-10 03:23:04 EDT
+++ This bug was initially created as a clone of Bug #806001 +++ Description of problem: aeolus-configure will always create an admin user even one has already been created. Scenario.. 1. user runs aeolus-configure, hates the username=admin and changes the username to "root" and changes the password 2. user runs aeolus-configure again .. whoops.. admin/password is created and is a bit of a security hole ideally.. the original admin user should have some sort of uuid of 0, and aeolus-configure always uses that id to configure resources. So.. user can change the username/pass of "admin" to anything and that user is still the only admin on the box after aeolus-configure is executed
878aeec329b1d9ba54c8d1bdf960aac65f417c7f aeolus-conductor on 1.0.1 branch be208210ee9737216534ccb7638cfcd6477a63b0 aeolus-configure on 1.0.1 branch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with: # aeolus-configure -p admin_configure
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,3 +1,3 @@ aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with: -# aeolus-configure -p admin_configure+# aeolus-configure -p admin
Observations:- 1.admin user user is only configured via: aeolus-configure -p admin 2.username for admin can be changed with anyname 3.aeolus-configure -p mock does not create a admin user by defualt and the renamed user in step-2 remains the administartor. Based on above observation marking it verified.
Recent commits[1] on 1.0.1 branch obviate the need for invoking aeolus-configure with '-p admin'. The default behavior is now to create a User with administrative rights with the login/password 'admin/password' The creation of a file, "/var/lib/aeolus-conductor/production.admin", ensures that the admin/password creation happens only at first run of aeolus-configure. Based on this change in use, I am deleting the Technical Notes entry on this BZ. [1]88c5293e5e5dcff47f2c9bf165934f8b304a0b9e 3691451fbb0508391c0f36038282f7c9bd881b16 fa2ca9d2e25cf24c19fd5132b666db5e124ce97e
Deleted Technical Notes Contents. Old Contents: aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with: # aeolus-configure -p admin
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: aeolus-configure created an admin user for each profile. If the original admin user was renamed prior to running another profile, aeolus-configure created another admin user. This update removes admin user creation from profiles and runs the process as part of the conductor manifest. This ensures admin users are not created upon subsequent runs of aeolus-configure.
Restested this BZ as per last changes ... The functionality verifies and does work as the tech note stipulates ... - admin/password was created (by first run of aeolus-configure) - Then logged into conductor as admin/password and changed the username/password, - Ran aeolus-configure (and even aeolus-configure -p mock) - Ran aeolus-restart-services - Tried to log in to conductor as admin/password - no accees - My changed admin can still log in So, running aeolus-configure a second or third time with any profile did *not* result in a new admin/password user being. rpms tested: >> rpm -qa |grep aeolus rubygem-aeolus-cli-0.3.3-2.el6_2.noarch aeolus-configure-2.5.10-1.el6cf.noarch aeolus-conductor-daemons-0.8.34-1.el6cf.noarch aeolus-conductor-0.8.34-1.el6cf.noarch aeolus-all-0.8.34-1.el6cf.noarch rubygem-aeolus-image-0.3.0-12.el6.noarch aeolus-conductor-doc-0.8.34-1.el6cf.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1063.html