996926 – [RFE] Additional fields for fence_apc_snmp in the RHEV UI

Bug 996926 - [RFE] Additional fields for fence_apc_snmp in the RHEV UI

Summary: [RFE] Additional fields for fence_apc_snmp in the RHEV UI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	RFEs
Sub Component:
Version:	3.2.0
Hardware:	All
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-3.6.0-rc
Target Release:	3.6.0
Assignee:	Alexander Wels
QA Contact:	Antonin Pagac
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-14 09:49 UTC by Marko Karg
Modified:	2019-11-30 22:07 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this update, it is now possible to specify whether encryption is set for fence agent fields in the Power Management tab of the New Host and Edit Host windows. This enhancement addresses cases where certain fence agents require the ability to set whether a field is encrypted.
Clone Of:
Environment:
Last Closed:	2016-03-09 20:31:53 UTC
oVirt Team:	Infra
Target Upstream Version:
Flags:	sherold: Triaged+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	460823	None	None	None	Never
Red Hat Product Errata	RHEA-2016:0376	normal	SHIPPED_LIVE	Red Hat Enterprise Virtualization Manager 3.6.0	2016-03-10 01:20:52 UTC
oVirt gerrit	38392	master	MERGED	core,restapi,webadmin: encrypt fence agent options	Never

Description Marko Karg 2013-08-14 09:49:24 UTC

Description of problem:

We're missing a field for the parameter snmp_priv_passwd in the RHEV UI window for the host powermanagement. Thus they are forced to enter it in cleartext in the options field, which for them is a security concern and in general is error prone. 

Version-Release number of selected component (if applicable):

RHEV 3.2 

How reproducible:

always

Steps to Reproduce:
1. go to the power management settings
2. set the type to fence_apc_snmp
3. check the fields - there is none for the snmp_priv_passwd

Actual results:

The fields missing and has to be set up via the options

Expected results:

Fields for all possible parameters for the fence_apc_snmp type (for all fence devices we support would of course be best).
Fields that contain passwords should be non-cleartext fields and contents should be displayed as asterisks.

Additional info:

N/A

Comment 1 Eli Mesika 2013-11-07 14:26:20 UTC

(In reply to Marko Karg from comment #0)
> Description of problem:
> 
> We're missing a field for the parameter snmp_priv_passwd in the RHEV UI
> window for the host powermanagement. Thus they are forced to enter it in
> cleartext in the options field, which for them is a security concern and in
> general is error prone. 
> 
> Version-Release number of selected component (if applicable):
> 
> RHEV 3.2 
> 
> How reproducible:
> 
> always
> 
> Steps to Reproduce:
> 1. go to the power management settings
> 2. set the type to fence_apc_snmp
> 3. check the fields - there is none for the snmp_priv_passwd
> 
> Actual results:
> 
> The fields missing and has to be set up via the options
> 
> Expected results:
> 
> Fields for all possible parameters for the fence_apc_snmp type (for all
> fence devices we support would of course be best).
> Fields that contain passwords should be non-cleartext fields and contents
> should be displayed as asterisks.

This is fully supported by putting in the options field "P=<value>"

The agent list handles 3 special parameters that are common to all PM agents 

1) Secure flag
2) Port
3) Slot

All other parameters should be issued in the options field with the following format

<key1>=<val1>, ...... <keyN>=<valN>

I think that this RFE should be closed

Comment 2 Andrew Cathrow 2013-11-07 22:15:10 UTC

I'm not sure it merits closing - seems like a UI nit pick. However I don't understand the more secure part?

Comment 3 Barak 2013-12-26 11:53:51 UTC

Marek,

Can you please explain the what is the difference between the user/pass (that we can configure in apc_snmp) to the snmp_priv_passwd field the customer wants to add.

Comment 4 Marek Grac 2014-01-02 10:49:19 UTC

@Barak,

In SNMPv3 there are 3 levels of security:
* noAuthnoPriv - only community name is used
* AuthNoPriv - authentication (normal password)
* AuthPriv - authentication & encryption of SNMP password (snmp_priv_password)

Comment 5 Barak 2014-01-14 13:13:43 UTC

Eli there is an option to add a simple checkbox whether to encrypt the options,
This will solve the unencryped password in the DB, but the vdsm will still log it.
This will not make it into 3.4 , hence moving to rhevm-future

Eli please add the full description of this option in terms of building blocks.

Comment 6 Eli Mesika 2014-01-14 13:59:15 UTC

(In reply to Barak from comment #5)

> Eli please add the full description of this option in terms of building
> blocks.

DB :
     Add a field (boolean) indicating if to encrypt options or not - default false (so no need to handle upgrade of the options field content)

ENGINE :
     Adding handling in VDSDbFacadeImpl for encrypt/decrypt the options field according to the flag

API :
     Adding support for the additional flag in POST/PUT/GET 

As stated in comment 5 , options will stay plain-text in teh VDSM level

Arthur ?

Comment 8 Yaniv Lavi 2015-02-01 14:44:58 UTC

(In reply to Eli Mesika from comment #6)
> (In reply to Barak from comment #5)
> 
> > Eli please add the full description of this option in terms of building
> > blocks.
> 
> DB :
>      Add a field (boolean) indicating if to encrypt options or not - default
> false (so no need to handle upgrade of the options field content)
> 
> ENGINE :
>      Adding handling in VDSDbFacadeImpl for encrypt/decrypt the options
> field according to the flag
> 
> API :
>      Adding support for the additional flag in POST/PUT/GET 
> 
> As stated in comment 5 , options will stay plain-text in teh VDSM level
> 
> Arthur ?

This option sound good to me.
Moving to consider to 3.6.0.

Comment 9 Einav Cohen 2015-02-15 15:14:37 UTC

Alexander: details on Comment #6, please contact Eli before starting the implementation to verify that what you intend to do is what actually needed. 
thanks.

Comment 10 Einav Cohen 2015-03-05 13:35:46 UTC

Alexander - should be in POST (since there is a patch)?

Comment 11 Alexander Wels 2015-03-06 19:34:42 UTC

Yes, hadn't gotten around to the book keeping yet.

Comment 14 Antonin Pagac 2015-05-05 12:28:40 UTC

Build ID: 3.6.0-1

Verified.

DB:
Table 'fence_agents' contains 'encrypt_options', and if set, the options are encrypted.

ENGINE:
There is a 'Encrypt options' checkbox when 'apc_snmp' power management type is chosen.

API:
In /ovirt-engine/api/hosts/<HOST_ID>/fenceagents/<FENCEAGENT_ID> is '<encrypt_options>' flag.

Comment 16 errata-xmlrpc 2016-03-09 20:31:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html

Note You need to log in before you can comment on or make changes to this bug.