Red Hat Bugzilla – Bug 996779
Obfuscated database password is converted to plain-text and saved in rhq-server.properites file during auto-install
Last modified: 2014-01-02 15:40:10 EST
Description of problem: When performing a silent or autoisntall the obfuscated property value for rhq.server.database.password is converted to a plain-text value and persisted to rhq-server.properites while the installer is running. Version-Release number of selected component (if applicable): 4.4.0.JON312GA How reproducible: Always Steps to Reproduce: 1. Extract JON server. 2. Prepare it for silent install using an obfuscated database password: # Change these values accordingly # databasePassword should be obfuscated databaseUrl="jdbc:postgresql://127.0.0.1:5432/rhq" databaseUser="rhqadmin" databasePassword="-627bd760a4751ca4" # These should stay the same for all PostgreSQL instances databaseDriver="org.postgresql.Driver" databaseXAClass="org.postgresql.xa.PGXADataSource" databaseTypeMapping="PostgreSQL" databaseServerName="127.0.0.1" databasePort="5432" databaseName="rhq" hibernateDialect="org.hibernate.dialect.PostgreSQLDialect" quartzDriverDelegate="org.quartz.impl.jdbcjobstore.PostgreSQLDelegate" sed -i 's/^rhq\.server\.database\.connection-url=.*/rhq.server.database.connection-url='"${databaseUrl}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.driver-class=.*/rhq.server.database.driver-class='"${databaseDriver}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.xa-datasource-class=.*/rhq.server.database.xa-datasource-class='"${databaseXAClass}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.user-name=.*/rhq.server.database.user-name='"${databaseUser}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.password=.*/rhq.server.database.password='"${databasePassword}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.type-mapping=.*/rhq.server.database.type-mapping='"${databaseTypeMapping}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.server-name=.*/rhq.server.database.server-name='"${databaseServerName}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.port=.*/rhq.server.database.port='"${databasePort}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.database\.db-name=.*/rhq.server.database.db-name='"${databaseName}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^hibernate\.dialect=.*/hibernate.dialect='"${hibernateDialect}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.server\.quartz\.driverDelegateClass=.*/rhq.server.quartz.driverDelegateClass='"${quartzDriverDelegate}"'/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.autoinstall\.enabled=.*/rhq.autoinstall.enabled=true/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" sed -i 's/^rhq\.autoinstall\.database=.*/rhq.autoinstall.database=overwrite/' "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" 3. Start monitoring the rhq-server.properties file for changes: _tmpDir=$(mktemp -d) && echo "Using ${_tmpDir}" && md5hash="" && { while (true); do newmd5="$(md5sum "${TESTENV_DIR}/jon-server/bin/rhq-server.properties")" if [ "${md5hash}" != "${newmd5}" ]; then cp -a "${TESTENV_DIR}/jon-server/bin/rhq-server.properties" "${_tmpDir}/rhq-server.properties-$(date +%s)" md5hash="${newmd5}" fi sleep 0.2s done } 4. Start JBoss ON server. 5. After install is finished, stop JBoss ON server. Actual results: At the beginning of the autoinstall process, rhq-server.properties is updated with a plain-text password. Expected results: The obfuscated password should remain intact during autoinstall and the plain-text password should never be exposed or persisted.
We need to investigate if that is still true in 3.2 and fix accordingly.
With the new install mechanism every install in an autoinstall. This is no longer an issue for 3.2.
obfuscated password is not being changed to plain text - attached the full log of updates in rhq-server.properties (tailed to get all updates)
Created attachment 807105 [details] rhq-server-properties.log