Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1052202

Summary: [rhevm-dwh-setup] rhevm-dwh-setup drops '"' from read db password
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: ovirt-engine-dwhAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: Barak Dagan <bdagan>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aberezin, acathrow, adahms, alonbl, bazulay, didi, gklein, iheim, jbelka, pstehlik, Rhev-m-bugs, sbonazzo, scohen, yeylon, ylavi
Target Milestone: ---Keywords: ZStream
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, including a double quotation mark in the password for the history database would cause the ovirt-engine-dwh-setup command to fail due to an authentication error. This was caused by the double quotation marks not being considered a part of the password. Now, the ovirt-engine-dwh-setup command disallows the characters '"', '\', '#', and '$'.
Story Points: ---
Clone Of:
: 1065781 (view as bug list) Environment:
Last Closed: 2014-06-09 15:16:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1065781, 1078909, 1142926    

Description Jiri Belka 2014-01-13 13:46:03 UTC
Description of problem:

The problem is how rhevm-dwh-setup (and its friends) get DB password.
I modified the code to print env and content of PGPASSFILE.

As you can see closing '"' is dropped from password! Discovered as part of BZ922854.

[root@bz ~]# diff -uNp /usr/share/ovirt-engine-dwh/ /usr/share/ovirt-engine-dwh/
--- /usr/share/ovirt-engine-dwh/    2014-01-13 11:35:23.384086498 +0100
+++ /usr/share/ovirt-engine-dwh/ 2014-01-13 11:31:31.633114947 +0100
@@ -936,6 +936,10 @@ def execCmd(
         env["PGPASSFILE"] = FILE_PG_PASS
+    ##kuku
+    print env
     # We use close_fds to close any file descriptors we have so it won't be copied to forked childs
     proc = subprocess.Popen(

[root@bz ~]# rhevm-dwh-setup
Welcome to ovirt-engine-dwh setup utility

{'HISTTIMEFORMAT': '%F %T ', 'LESSOPEN': '|/usr/bin/ %s', 'SSH_CLIENT': ' 37502 22', 'CVS_RSH': 'ssh', 'LOGNAME': 'root', 'USER': 'root', 'HOME': '/root', 'PATH': '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin', 'LANG': 'en_US.utf8', 'TERM': 'screen', 'SHELL': '/bin/bash', 'SHLVL': '1', 'G_BROKEN_FILENAMES': '1', 'HISTSIZE': '1000', 'ENGINE_PGPASS': '/tmp/pgpassHIEOqx.tmp', 'XMODIFIERS': '@im=none', 'SSH_AUTH_SOCK': '/tmp/ssh-uryjL27870/agent.27870', 'PGPASSFILE': '/tmp/pgpassHIEOqx.tmp', 'SELINUX_ROLE_REQUESTED': '', '_': '/usr/bin/rhevm-dwh-setup', 'LS_COLORS': 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:', 'SSH_TTY': '/dev/pts/0', 'HOSTNAME': '', 'SELINUX_LEVEL_REQUESTED': '', 'HISTCONTROL': 'ignoredups', 'PWD': '/root', 'SELINUX_USE_CURRENT_RANGE': '', 'MAIL': '/var/spool/mail/root', 'SSH_CONNECTION': ' 37502 22'}
# DB USER credentials.*:engine_history:0080MSJr*:remoteengine:Z6AA&quot;4txi\;4txi\
Error encountered while installing rhevm-dwh, please consult the log file: /var/log/ovirt-engine/rhevm-dwh-setup-2014_01_13_11_31_33.log
[root@bz ~]# grep -i pass /etc/ovirt-engine/engine.conf.d/10-setup-database.conf 

[root@bz ~]# cat /var/log/ovirt-engine/rhevm-dwh-setup-2014_01_13_11_31_33.log
2014-01-13 11:31:33::DEBUG::rhevm-dwh-setup::408::root:: starting main()
2014-01-13 11:31:33::DEBUG::common_utils::446::root:: running sql query on host:, port: 5432, db: remoteengine, user: remoteengine, query: 'copy (
        select option_value from vdc_options
        where option_name like 'MinimalETLVersion'
    ) to stdout with csv header;'.
2014-01-13 11:31:33::DEBUG::common_utils::907::root:: Executing command --> '/usr/bin/psql --pset=tuples_only=on --set ON_ERROR_STOP=1 --dbname remoteengine --host --port 5432 --username remoteengine -w -c copy (
        select option_value from vdc_options
        where option_name like 'MinimalETLVersion'
    ) to stdout with csv header;' in working directory '/root'
2014-01-13 11:31:33::DEBUG::common_utils::966::root:: output = 
2014-01-13 11:31:33::DEBUG::common_utils::967::root:: stderr = psql: FATAL:  password authentication failed for user "remoteengine"

2014-01-13 11:31:33::DEBUG::common_utils::968::root:: retcode = 2
2014-01-13 11:31:33::ERROR::rhevm-dwh-setup::685::root:: Exception caught!
2014-01-13 11:31:33::ERROR::rhevm-dwh-setup::686::root:: Traceback (most recent call last):
  File "/usr/bin/rhevm-dwh-setup", line 431, in main
  File "/usr/share/ovirt-engine-dwh/", line 151, in getVDCOption
    envDict={'ENGINE_PGPASS': temp_pgpass}
  File "/usr/share/ovirt-engine-dwh/", line 432, in parseRemoteSqlCommand
  File "/usr/share/ovirt-engine-dwh/", line 470, in execSqlCmd
    output, rc = execCmd(cmdList=cmd, failOnError=fail_on_error, msg=err_msg, envDict=envDict)
  File "/usr/share/ovirt-engine-dwh/", line 971, in execCmd
    raise Exception(msg)
Exception: Failed running sql query

Version-Release number of selected component (if applicable):
is31 rhevm-dwh-3.3.0-27.el6ev.noarch

How reproducible:

Steps to Reproduce:
1. have a remote db install environment working (base rhevm) with password engine with '"' (see above for password)
2. yum install rhevm-dwh
3. rhevm-dwh-setup

Actual results:
failure because of authentication (password not read correctly)

Expected results:
read password with all funny chars in it correctly

Additional info:

Comment 1 Jiri Belka 2014-01-14 08:56:20 UTC
*** Bug 1052848 has been marked as a duplicate of this bug. ***

Comment 2 Yedidyah Bar David 2014-01-14 11:30:10 UTC
This happens due to us removing all '"' from all credentials. In
                    db_dict[k] = s.strip('"')

To fix this properly, we should not do that, and instead of parsing ourselves, use the module configfile from ovirt-engine-lib (rhevm-lib). This module does not support writing, just reading, so a partial solution will be to copy the parsing from it to the current parser (

For the meantime, we might want to add a note to the release notes that a remote db user's password should not contain '"'.

Comment 3 Jiri Belka 2014-01-14 11:40:49 UTC
Well I think the password should be saved in its real form. Right now the code escapes and saves escaped specific chars in password. See:

[root@bz ~]# grep -i pass /etc/ovirt-engine/engine.conf.d/10-setup-database.conf 

Real password's form is: Z6AA&quot;4txi"

I have never seen any application saving plain-text password in files escaped.

Comment 4 Yedidyah Bar David 2014-01-14 12:43:11 UTC
(In reply to Jiri Belka from comment #3)
> Well I think the password should be saved in its real form. Right now the
> code escapes and saves escaped specific chars in password. See:
> [root@bz ~]# grep -i pass
> /etc/ovirt-engine/engine.conf.d/10-setup-database.conf 
> ENGINE_DB_PASSWORD="Z6AA&quot;4txi\""
> Real password's form is: Z6AA&quot;4txi"
> I have never seen any application saving plain-text password in files
> escaped.

Any application whose configuration is intended to be parsed by a shell does that. E.g. most of the files in /etc/sysconfig.

It's not specific to the password, btw.

These files are read by at least 3 different parsers:
1. They are sourced by sh - in
2. They are read by Java code, in
3. They are read by the above-mentioned configfile python code

dwh and reports have their own simple parser (two unsynced copies of it) and as I said we better get rid of it in favor of configfile.

Anyway, accepting your suggestion of keeping unescaped strings in these files means rewriting quite a lot of code. So it won't happen.

Comment 5 Yaniv Lavi 2014-01-16 17:02:38 UTC
Barak, do we want this fixed for z stream?


Comment 6 Alon Bar-Lev 2014-01-16 21:59:38 UTC
simplest solution for now is just to forbid '"', if you can please check the new setup and see if problem exists there.

Comment 7 Yedidyah Bar David 2014-01-27 23:30:47 UTC
Do we want this fixed in 3.3.z?

See comment #4 for the (somewhat) complex fix this will require. In 3.4 the setup is rewritten and so porting a fix from there to 3.3 is not practical.

As Alon said, we can simply forbid '"' in passwords for 3.3.

Comment 9 Barak 2014-01-29 13:51:36 UTC

We intend to ban the use of '"' in the setup entirely (this is consistent with ethe engin's behaviour (see comment #7).

Please ack

Comment 13 Yedidyah Bar David 2014-02-17 09:20:01 UTC
Moving to QA as 24464 is irrelevant for 3.4 - the code there was rewritten and should behave well.

Comment 14 Barak Dagan 2014-03-10 14:43:50 UTC
Verified on av2.1




# grep -i pass /etc/ovirt-engine/engine.conf.d/10-setup-database.conf 

Reports installation passed.

Is that enough Jiri ?

Comment 15 Jiri Belka 2014-03-11 09:01:23 UTC

Comment 16 errata-xmlrpc 2014-06-09 15:16:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.