Bug 824526 - aeolus-configure will always create an admin user, need to key of a uuid not name
Summary: aeolus-configure will always create an admin user, need to key of a uuid not ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: CloudForms Cloud Engine
Classification: Retired
Component: aeolus-configure
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: 1.0.1
Assignee: Steve Linabery
QA Contact: Rehana
URL:
Whiteboard:
Depends On: 806001
Blocks: 832544
TreeView+ depends on / blocked
 
Reported: 2012-05-23 16:36 UTC by Chris Pelland
Modified: 2012-07-10 07:23 UTC (History)
12 users (show)

Fixed In Version:
Clone Of: 806001
Environment:
Last Closed: 2012-07-10 07:23:04 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:1063 0 normal SHIPPED_LIVE CloudForms Cloud Engine 1.0.1 bug fix update 2012-07-10 11:18:41 UTC

Description Chris Pelland 2012-05-23 16:36:42 UTC
+++ This bug was initially created as a clone of Bug #806001 +++

Description of problem:

aeolus-configure will always create an admin user even one has already been created.

Scenario..
1. user runs aeolus-configure, hates the username=admin and changes the username  to "root" and changes the password
2. user runs aeolus-configure again .. whoops.. admin/password is created and is a bit of a security hole


ideally.. the original admin user should have some sort of uuid of 0, and aeolus-configure always uses that id to configure resources.

So.. user can change the username/pass of "admin" to anything and that user is still the only admin on the box after aeolus-configure is executed

Comment 1 Steve Linabery 2012-05-29 17:21:44 UTC
878aeec329b1d9ba54c8d1bdf960aac65f417c7f aeolus-conductor on 1.0.1 branch
be208210ee9737216534ccb7638cfcd6477a63b0 aeolus-configure on 1.0.1 branch

Comment 2 Dan Macpherson 2012-06-06 04:01:29 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with:

# aeolus-configure -p admin_configure

Comment 3 Dan Macpherson 2012-06-07 06:07:27 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,3 +1,3 @@
 aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with:
 
-# aeolus-configure -p admin_configure+# aeolus-configure -p admin

Comment 4 pushpesh sharma 2012-06-07 08:53:58 UTC
Observations:-
1.admin user user is only configured via:
aeolus-configure -p admin 

2.username for admin can be changed with anyname
3.aeolus-configure -p mock does not create a admin user by defualt and the renamed user in step-2 remains the administartor.



Based on above observation marking it verified.

Comment 5 Steve Linabery 2012-06-22 19:54:56 UTC
Recent commits[1] on 1.0.1 branch obviate the need for invoking aeolus-configure with '-p admin'. The default behavior is now to create a User with administrative rights with the login/password 'admin/password'

The creation of a file, "/var/lib/aeolus-conductor/production.admin", ensures that the admin/password creation happens only at first run of aeolus-configure.

Based on this change in use, I am deleting the Technical Notes entry on this BZ.

[1]88c5293e5e5dcff47f2c9bf165934f8b304a0b9e
   3691451fbb0508391c0f36038282f7c9bd881b16
   fa2ca9d2e25cf24c19fd5132b666db5e124ce97e

Comment 6 Steve Linabery 2012-06-22 19:54:56 UTC
Deleted Technical Notes Contents.

Old Contents:
aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with:

# aeolus-configure -p admin

Comment 7 Dan Macpherson 2012-06-25 15:00:28 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
aeolus-configure created an admin user for each profile. If the original admin user was renamed prior to running another profile, aeolus-configure created another admin user. This update removes admin user creation from profiles and runs the process as part of the conductor manifest. This ensures admin users are not created upon subsequent runs of aeolus-configure.

Comment 8 Ronelle Landy 2012-07-03 14:54:18 UTC
Restested this BZ as per last changes ...

The functionality verifies and does work as the tech note stipulates ...

 - admin/password was created (by first run of aeolus-configure) 
 - Then logged into conductor as admin/password and changed the username/password, 
 - Ran aeolus-configure (and even aeolus-configure -p mock)
 - Ran aeolus-restart-services
 - Tried to log in to conductor as admin/password - no accees
 - My changed admin can still log in

So, running aeolus-configure a second or third time with any profile did *not* result in a new admin/password user being.

rpms tested:

>> rpm -qa |grep aeolus
rubygem-aeolus-cli-0.3.3-2.el6_2.noarch
aeolus-configure-2.5.10-1.el6cf.noarch
aeolus-conductor-daemons-0.8.34-1.el6cf.noarch
aeolus-conductor-0.8.34-1.el6cf.noarch
aeolus-all-0.8.34-1.el6cf.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-conductor-doc-0.8.34-1.el6cf.noarch

Comment 10 errata-xmlrpc 2012-07-10 07:23:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1063.html


Note You need to log in before you can comment on or make changes to this bug.