Bug 996926 - [RFE] Additional fields for fence_apc_snmp in the RHEV UI
[RFE] Additional fields for fence_apc_snmp in the RHEV UI
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs (Show other bugs)
3.2.0
All Unspecified
unspecified Severity medium
: ovirt-3.6.0-rc
: 3.6.0
Assigned To: Alexander Wels
Antonin Pagac
: FutureFeature, Improvement
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-14 05:49 EDT by Marko Karg
Modified: 2016-03-09 15:31 EST (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
With this update, it is now possible to specify whether encryption is set for fence agent fields in the Power Management tab of the New Host and Edit Host windows. This enhancement addresses cases where certain fence agents require the ability to set whether a field is encrypted.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-09 15:31:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sherold: Triaged+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 460823 None None None Never
oVirt gerrit 38392 master MERGED core,restapi,webadmin: encrypt fence agent options Never

  None (edit)
Description Marko Karg 2013-08-14 05:49:24 EDT
Description of problem:

We're missing a field for the parameter snmp_priv_passwd in the RHEV UI window for the host powermanagement. Thus they are forced to enter it in cleartext in the options field, which for them is a security concern and in general is error prone. 

Version-Release number of selected component (if applicable):

RHEV 3.2 

How reproducible:

always

Steps to Reproduce:
1. go to the power management settings
2. set the type to fence_apc_snmp
3. check the fields - there is none for the snmp_priv_passwd

Actual results:

The fields missing and has to be set up via the options

Expected results:

Fields for all possible parameters for the fence_apc_snmp type (for all fence devices we support would of course be best).
Fields that contain passwords should be non-cleartext fields and contents should be displayed as asterisks.

Additional info:

N/A
Comment 1 Eli Mesika 2013-11-07 09:26:20 EST
(In reply to Marko Karg from comment #0)
> Description of problem:
> 
> We're missing a field for the parameter snmp_priv_passwd in the RHEV UI
> window for the host powermanagement. Thus they are forced to enter it in
> cleartext in the options field, which for them is a security concern and in
> general is error prone. 
> 
> Version-Release number of selected component (if applicable):
> 
> RHEV 3.2 
> 
> How reproducible:
> 
> always
> 
> Steps to Reproduce:
> 1. go to the power management settings
> 2. set the type to fence_apc_snmp
> 3. check the fields - there is none for the snmp_priv_passwd
> 
> Actual results:
> 
> The fields missing and has to be set up via the options
> 
> Expected results:
> 
> Fields for all possible parameters for the fence_apc_snmp type (for all
> fence devices we support would of course be best).
> Fields that contain passwords should be non-cleartext fields and contents
> should be displayed as asterisks.

This is fully supported by putting in the options field "P=<value>"

The agent list handles 3 special parameters that are common to all PM agents 

1) Secure flag
2) Port
3) Slot

All other parameters should be issued in the options field with the following format

<key1>=<val1>, ...... <keyN>=<valN>

I think that this RFE should be closed
Comment 2 Andrew Cathrow 2013-11-07 17:15:10 EST
I'm not sure it merits closing - seems like a UI nit pick. However I don't understand the more secure part?
Comment 3 Barak 2013-12-26 06:53:51 EST
Marek,

Can you please explain the what is the difference between the user/pass (that we can configure in apc_snmp) to the snmp_priv_passwd field the customer wants to add.
Comment 4 Marek Grac 2014-01-02 05:49:19 EST
@Barak,

In SNMPv3 there are 3 levels of security:
* noAuthnoPriv - only community name is used
* AuthNoPriv - authentication (normal password)
* AuthPriv - authentication & encryption of SNMP password (snmp_priv_password)
Comment 5 Barak 2014-01-14 08:13:43 EST
Eli there is an option to add a simple checkbox whether to encrypt the options,
This will solve the unencryped password in the DB, but the vdsm will still log it.
This will not make it into 3.4 , hence moving to rhevm-future

Eli please add the full description of this option in terms of building blocks.
Comment 6 Eli Mesika 2014-01-14 08:59:15 EST
(In reply to Barak from comment #5)

> Eli please add the full description of this option in terms of building
> blocks.

DB :
     Add a field (boolean) indicating if to encrypt options or not - default false (so no need to handle upgrade of the options field content)

ENGINE :
     Adding handling in VDSDbFacadeImpl for encrypt/decrypt the options field according to the flag

API :
     Adding support for the additional flag in POST/PUT/GET 

As stated in comment 5 , options will stay plain-text in teh VDSM level

Arthur ?
Comment 8 Yaniv Lavi (Dary) 2015-02-01 09:44:58 EST
(In reply to Eli Mesika from comment #6)
> (In reply to Barak from comment #5)
> 
> > Eli please add the full description of this option in terms of building
> > blocks.
> 
> DB :
>      Add a field (boolean) indicating if to encrypt options or not - default
> false (so no need to handle upgrade of the options field content)
> 
> ENGINE :
>      Adding handling in VDSDbFacadeImpl for encrypt/decrypt the options
> field according to the flag
> 
> API :
>      Adding support for the additional flag in POST/PUT/GET 
> 
> As stated in comment 5 , options will stay plain-text in teh VDSM level
> 
> Arthur ?

This option sound good to me.
Moving to consider to 3.6.0.
Comment 9 Einav Cohen 2015-02-15 10:14:37 EST
Alexander: details on Comment #6, please contact Eli before starting the implementation to verify that what you intend to do is what actually needed. 
thanks.
Comment 10 Einav Cohen 2015-03-05 08:35:46 EST
Alexander - should be in POST (since there is a patch)?
Comment 11 Alexander Wels 2015-03-06 14:34:42 EST
Yes, hadn't gotten around to the book keeping yet.
Comment 14 Antonin Pagac 2015-05-05 08:28:40 EDT
Build ID: 3.6.0-1

Verified.

DB:
Table 'fence_agents' contains 'encrypt_options', and if set, the options are encrypted.

ENGINE:
There is a 'Encrypt options' checkbox when 'apc_snmp' power management type is chosen.

API:
In /ovirt-engine/api/hosts/<HOST_ID>/fenceagents/<FENCEAGENT_ID> is '<encrypt_options>' flag.
Comment 16 errata-xmlrpc 2016-03-09 15:31:53 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html

Note You need to log in before you can comment on or make changes to this bug.