Bug 824526 - aeolus-configure will always create an admin user, need to key of a uuid not name
aeolus-configure will always create an admin user, need to key of a uuid not ...
Status: CLOSED ERRATA
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-configure (Show other bugs)
1.0.0
Unspecified Unspecified
unspecified Severity high
: 1.0.1
: ---
Assigned To: Steve Linabery
Rehana
: ZStream
Depends On: 806001
Blocks: 832544
  Show dependency treegraph
 
Reported: 2012-05-23 12:36 EDT by Chris Pelland
Modified: 2012-07-10 03:23 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
aeolus-configure created an admin user for each profile. If the original admin user was renamed prior to running another profile, aeolus-configure created another admin user. This update removes admin user creation from profiles and runs the process as part of the conductor manifest. This ensures admin users are not created upon subsequent runs of aeolus-configure.
Story Points: ---
Clone Of: 806001
Environment:
Last Closed: 2012-07-10 03:23:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Pelland 2012-05-23 12:36:42 EDT
+++ This bug was initially created as a clone of Bug #806001 +++

Description of problem:

aeolus-configure will always create an admin user even one has already been created.

Scenario..
1. user runs aeolus-configure, hates the username=admin and changes the username  to "root" and changes the password
2. user runs aeolus-configure again .. whoops.. admin/password is created and is a bit of a security hole


ideally.. the original admin user should have some sort of uuid of 0, and aeolus-configure always uses that id to configure resources.

So.. user can change the username/pass of "admin" to anything and that user is still the only admin on the box after aeolus-configure is executed
Comment 1 Steve Linabery 2012-05-29 13:21:44 EDT
878aeec329b1d9ba54c8d1bdf960aac65f417c7f aeolus-conductor on 1.0.1 branch
be208210ee9737216534ccb7638cfcd6477a63b0 aeolus-configure on 1.0.1 branch
Comment 2 Dan Macpherson 2012-06-06 00:01:29 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with:

# aeolus-configure -p admin_configure
Comment 3 Dan Macpherson 2012-06-07 02:07:27 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,3 +1,3 @@
 aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with:
 
-# aeolus-configure -p admin_configure+# aeolus-configure -p admin
Comment 4 pushpesh sharma 2012-06-07 04:53:58 EDT
Observations:-
1.admin user user is only configured via:
aeolus-configure -p admin 

2.username for admin can be changed with anyname
3.aeolus-configure -p mock does not create a admin user by defualt and the renamed user in step-2 remains the administartor.



Based on above observation marking it verified.
Comment 5 Steve Linabery 2012-06-22 15:54:56 EDT
Recent commits[1] on 1.0.1 branch obviate the need for invoking aeolus-configure with '-p admin'. The default behavior is now to create a User with administrative rights with the login/password 'admin/password'

The creation of a file, "/var/lib/aeolus-conductor/production.admin", ensures that the admin/password creation happens only at first run of aeolus-configure.

Based on this change in use, I am deleting the Technical Notes entry on this BZ.

[1]88c5293e5e5dcff47f2c9bf165934f8b304a0b9e
   3691451fbb0508391c0f36038282f7c9bd881b16
   fa2ca9d2e25cf24c19fd5132b666db5e124ce97e
Comment 6 Steve Linabery 2012-06-22 15:54:56 EDT
Deleted Technical Notes Contents.

Old Contents:
aeolus-configure creates an admin user for each profile. Aeolus adds another admin user if a user renames the original admin user and runs another profile. This update adds a separate profile for admin creation. Users now creates an admin user with:

# aeolus-configure -p admin
Comment 7 Dan Macpherson 2012-06-25 11:00:28 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
aeolus-configure created an admin user for each profile. If the original admin user was renamed prior to running another profile, aeolus-configure created another admin user. This update removes admin user creation from profiles and runs the process as part of the conductor manifest. This ensures admin users are not created upon subsequent runs of aeolus-configure.
Comment 8 Ronelle Landy 2012-07-03 10:54:18 EDT
Restested this BZ as per last changes ...

The functionality verifies and does work as the tech note stipulates ...

 - admin/password was created (by first run of aeolus-configure) 
 - Then logged into conductor as admin/password and changed the username/password, 
 - Ran aeolus-configure (and even aeolus-configure -p mock)
 - Ran aeolus-restart-services
 - Tried to log in to conductor as admin/password - no accees
 - My changed admin can still log in

So, running aeolus-configure a second or third time with any profile did *not* result in a new admin/password user being.

rpms tested:

>> rpm -qa |grep aeolus
rubygem-aeolus-cli-0.3.3-2.el6_2.noarch
aeolus-configure-2.5.10-1.el6cf.noarch
aeolus-conductor-daemons-0.8.34-1.el6cf.noarch
aeolus-conductor-0.8.34-1.el6cf.noarch
aeolus-all-0.8.34-1.el6cf.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-conductor-doc-0.8.34-1.el6cf.noarch
Comment 10 errata-xmlrpc 2012-07-10 03:23:04 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1063.html

Note You need to log in before you can comment on or make changes to this bug.