Bug 996926 - [RFE] Additional fields for fence_apc_snmp in the RHEV UI
Summary: [RFE] Additional fields for fence_apc_snmp in the RHEV UI
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs
Version: 3.2.0
Hardware: All
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Alexander Wels
QA Contact: Antonin Pagac
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-14 09:49 UTC by Marko Karg
Modified: 2019-10-10 09:10 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
With this update, it is now possible to specify whether encryption is set for fence agent fields in the Power Management tab of the New Host and Edit Host windows. This enhancement addresses cases where certain fence agents require the ability to set whether a field is encrypted.
Clone Of:
Environment:
Last Closed: 2016-03-09 20:31:53 UTC
oVirt Team: Infra
sherold: Triaged+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:0376 normal SHIPPED_LIVE Red Hat Enterprise Virtualization Manager 3.6.0 2016-03-10 01:20:52 UTC
oVirt gerrit 38392 master MERGED core,restapi,webadmin: encrypt fence agent options Never
Red Hat Knowledge Base (Solution) 460823 None None None Never

Description Marko Karg 2013-08-14 09:49:24 UTC
Description of problem:

We're missing a field for the parameter snmp_priv_passwd in the RHEV UI window for the host powermanagement. Thus they are forced to enter it in cleartext in the options field, which for them is a security concern and in general is error prone. 

Version-Release number of selected component (if applicable):

RHEV 3.2 

How reproducible:

always

Steps to Reproduce:
1. go to the power management settings
2. set the type to fence_apc_snmp
3. check the fields - there is none for the snmp_priv_passwd

Actual results:

The fields missing and has to be set up via the options

Expected results:

Fields for all possible parameters for the fence_apc_snmp type (for all fence devices we support would of course be best).
Fields that contain passwords should be non-cleartext fields and contents should be displayed as asterisks.

Additional info:

N/A

Comment 1 Eli Mesika 2013-11-07 14:26:20 UTC
(In reply to Marko Karg from comment #0)
> Description of problem:
> 
> We're missing a field for the parameter snmp_priv_passwd in the RHEV UI
> window for the host powermanagement. Thus they are forced to enter it in
> cleartext in the options field, which for them is a security concern and in
> general is error prone. 
> 
> Version-Release number of selected component (if applicable):
> 
> RHEV 3.2 
> 
> How reproducible:
> 
> always
> 
> Steps to Reproduce:
> 1. go to the power management settings
> 2. set the type to fence_apc_snmp
> 3. check the fields - there is none for the snmp_priv_passwd
> 
> Actual results:
> 
> The fields missing and has to be set up via the options
> 
> Expected results:
> 
> Fields for all possible parameters for the fence_apc_snmp type (for all
> fence devices we support would of course be best).
> Fields that contain passwords should be non-cleartext fields and contents
> should be displayed as asterisks.

This is fully supported by putting in the options field "P=<value>"

The agent list handles 3 special parameters that are common to all PM agents 

1) Secure flag
2) Port
3) Slot

All other parameters should be issued in the options field with the following format

<key1>=<val1>, ...... <keyN>=<valN>

I think that this RFE should be closed

Comment 2 Andrew Cathrow 2013-11-07 22:15:10 UTC
I'm not sure it merits closing - seems like a UI nit pick. However I don't understand the more secure part?

Comment 3 Barak 2013-12-26 11:53:51 UTC
Marek,

Can you please explain the what is the difference between the user/pass (that we can configure in apc_snmp) to the snmp_priv_passwd field the customer wants to add.

Comment 4 Marek Grac 2014-01-02 10:49:19 UTC
@Barak,

In SNMPv3 there are 3 levels of security:
* noAuthnoPriv - only community name is used
* AuthNoPriv - authentication (normal password)
* AuthPriv - authentication & encryption of SNMP password (snmp_priv_password)

Comment 5 Barak 2014-01-14 13:13:43 UTC
Eli there is an option to add a simple checkbox whether to encrypt the options,
This will solve the unencryped password in the DB, but the vdsm will still log it.
This will not make it into 3.4 , hence moving to rhevm-future

Eli please add the full description of this option in terms of building blocks.

Comment 6 Eli Mesika 2014-01-14 13:59:15 UTC
(In reply to Barak from comment #5)

> Eli please add the full description of this option in terms of building
> blocks.

DB :
     Add a field (boolean) indicating if to encrypt options or not - default false (so no need to handle upgrade of the options field content)

ENGINE :
     Adding handling in VDSDbFacadeImpl for encrypt/decrypt the options field according to the flag

API :
     Adding support for the additional flag in POST/PUT/GET 

As stated in comment 5 , options will stay plain-text in teh VDSM level

Arthur ?

Comment 8 Yaniv Lavi 2015-02-01 14:44:58 UTC
(In reply to Eli Mesika from comment #6)
> (In reply to Barak from comment #5)
> 
> > Eli please add the full description of this option in terms of building
> > blocks.
> 
> DB :
>      Add a field (boolean) indicating if to encrypt options or not - default
> false (so no need to handle upgrade of the options field content)
> 
> ENGINE :
>      Adding handling in VDSDbFacadeImpl for encrypt/decrypt the options
> field according to the flag
> 
> API :
>      Adding support for the additional flag in POST/PUT/GET 
> 
> As stated in comment 5 , options will stay plain-text in teh VDSM level
> 
> Arthur ?

This option sound good to me.
Moving to consider to 3.6.0.

Comment 9 Einav Cohen 2015-02-15 15:14:37 UTC
Alexander: details on Comment #6, please contact Eli before starting the implementation to verify that what you intend to do is what actually needed. 
thanks.

Comment 10 Einav Cohen 2015-03-05 13:35:46 UTC
Alexander - should be in POST (since there is a patch)?

Comment 11 Alexander Wels 2015-03-06 19:34:42 UTC
Yes, hadn't gotten around to the book keeping yet.

Comment 14 Antonin Pagac 2015-05-05 12:28:40 UTC
Build ID: 3.6.0-1

Verified.

DB:
Table 'fence_agents' contains 'encrypt_options', and if set, the options are encrypted.

ENGINE:
There is a 'Encrypt options' checkbox when 'apc_snmp' power management type is chosen.

API:
In /ovirt-engine/api/hosts/<HOST_ID>/fenceagents/<FENCEAGENT_ID> is '<encrypt_options>' flag.

Comment 16 errata-xmlrpc 2016-03-09 20:31:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html


Note You need to log in before you can comment on or make changes to this bug.