Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1513620 - Evm.log contains passwords
Summary: Evm.log contains passwords
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine-sdk-ruby
Classification: oVirt
Component: Core
Version: 4.1.12
Hardware: Unspecified
OS: Unspecified
high
urgent vote
Target Milestone: ovirt-4.1.8
: 4.1.13
Assignee: Juan Hernández
QA Contact: Radim Hrazdil
URL:
Whiteboard:
Depends On:
Blocks: 1512977
TreeView+ depends on / blocked
 
Reported: 2017-11-15 17:05 UTC by Juan Hernández
Modified: 2017-12-11 16:31 UTC (History)
8 users (show)

Fixed In Version: 4.1.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1512977
Environment:
Last Closed: 2017-12-11 16:31:25 UTC
oVirt Team: Infra
rule-engine: ovirt-4.1+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 84210 master MERGED Don't include sensible data in `inspect` 2017-11-16 07:58:17 UTC
oVirt gerrit 84226 sdk_4.1 MERGED Don't include sensible data in `inspect` 2017-11-16 08:10:40 UTC

Description Juan Hernández 2017-11-15 17:05:36 UTC
+++ This bug was initially created as a clone of Bug #1512977 +++

Description of problem:
Added RHEVM Infrastructure provider, there is some error in fetching data from it.
Checking evm.log file, I can see my RHEVM provider's password logged as open text.


Version-Release number of selected component (if applicable):
5.9.0.8.20171109215303_ed87902

How reproducible:
When there is some ERROR in fetching data from RHEVM provider.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-11-14 09:32:45 EST ---

Since this issue was entered in bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Hayk Hovsepyan on 2017-11-14 12:09:01 EST ---

Error is logged when RHEVM connection has timeouts:

[----] E, [2017-11-14T04:29:44.020407 #6232:119313c] ERROR -- : MIQ(ManageIQ::Providers::Redhat::InfraManager::FuturesCollector#wait_on_all_futures_ignoring_results) failed waiting on #<ManageIQ::Providers::Redhat::InfraManager::FuturesCollector::KeyedValue:0x0000000bf5dbf0 @key="vm_985c787c-1cc5-4e7b-9cb4-390243021336_disk_attachments", @value=#<OvirtSDK4::Future:0x0000000bf5dd58 @service=#<OvirtSDK4::DiskAttachmentsService:0x0000000bf5f658 @parent=#<OvirtSDK4::VmService:0x0000000bf5f7c0 @parent=#<OvirtSDK4::VmsService:0x00000003b1e4e8 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 @parent=#<OvirtSDK4::Connection:0x0000000baaa220 @url="MY_URL", @username="MY_USERNAME", @password="MY_PASSWORD", @token="jdkdS4QnGIQ6IDOLqQHJNHuPJqbNXQ57YMc7DZMMXvCpolYN6yptI-sU59apiwsSC_8iMkmj9VmIo-Reu32Tdg", @insecure=true, @ca_file=nil, @ca_certs=nil, @debug=false, @log=#<Vmdb::Loggers::MulticastLogger:0x000000029579a8 @loggers=#<Set: {#<VMDBLogger:0x00000002957c50 @progname=nil, @level=1, @default_formatter=#<Logger::Formatter:0x00000002957bd8 @datetime_format=nil>, @formatter=#<VMDBLogger::Formatter:0x00000002957a98 @datetime_format=nil>, @logdev=#<Logger::LogDevice:0x00000002957b60 @shift_size=1048576, @shift_age=0, @filename=#<Pathname:/var/www/miq/vmdb/log/rhevm.log>, @dev=#<File:/var/www/miq/vmdb/log/rhevm.log>, @mon_owner=nil, @mon_count=0, @mon_mutex=#<Thread::Mutex:0x00000002957b38>>, @write_lock=#<Thread::Mutex:0x00000002957a70>, @local_levels={}, @thread_hash_level_key=:"ThreadSafeLogger#21675560@level">}>, @level=1, @thread_hash_level_key=:"ThreadSafeLogger#21675220@level">, @kerberos=false, @timeout=3600, @compress=true, @proxy_url=nil, @proxy_username=nil, @proxy_password=nil, @headers=nil, @connections=0, @pipeline=0, @ca_store=nil, @mutex=#<Thread::Mutex:0x0000000baaa158>, @client=#<OvirtSDK4::HttpClient:0x0000000baa9f28>, @system_service=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>>, @path="", @clusters_service=#<OvirtSDK4::ClustersService:0x00000003b10f50 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="clusters">, @storage_domains_service=#<OvirtSDK4::StorageDomainsService:0x00000003b15118 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="storagedomains">, @hosts_service=#<OvirtSDK4::HostsService:0x00000003b19b00 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="hosts">, @vms_service=#<OvirtSDK4::VmsService:0x00000003b1e4e8 ...>, @templates_service=#<OvirtSDK4::TemplatesService:0x00000003b20d60 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="templates">, @networks_service=#<OvirtSDK4::NetworksService:0x00000003b2bd00 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="networks">, @data_centers_service=#<OvirtSDK4::DataCentersService:0x00000003b28ee8 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="datacenters">, @disks_service=#<OvirtSDK4::DisksService:0x00000003b31908 @parent=#<OvirtSDK4::SystemService:0x0000000baa9280 ...>, @path="disks">>, @path="vms">, @path="985c787c-1cc5-4e7b-9cb4-390243021336", @disk_attachments_service=#<OvirtSDK4::DiskAttachmentsService:0x0000000bf5f658 ...>>, @path="diskattachments">, @request=#<OvirtSDK4::HttpRequest:0x0000000bf5f4c8>, @block=#<Proc:0x0000000bf5dc90@/opt/rh/rh-ruby23/root/usr/share/gems/gems/ovirt-engine-sdk-4.1.9/lib/ovirtsdk4/service.rb:149>>>, due to: Can't send request: SSL connect error

--- Additional comment from Juan Hernández on 2017-11-15 12:00:51 EST ---

This problem could be solved avoiding the use of the `inspect` method when writing log messages. But as that seems to be a common practice, we will instead modify the SDK so that the `inspect` and `to_s` methods do not include sensible information like the user name and password in the string that they return.

Comment 1 Juan Hernández 2017-11-28 17:16:35 UTC
To verify create an script that creates a connection, and print it:

---8<---
require 'logger'
require 'ovirtsdk4'

# Create the connection to the server:
connection = OvirtSDK4::Connection.new(
  url: 'https://engine42.local/ovirt-engine/api',
  username: 'admin@internal',
  password: 'redhat123',
  insecure: true,
  debug: true,
  log: Logger.new('test.log')
)

# Print the connection:
puts("connection.to_s: #{connection.to_s}")
puts("connection.inspect: #{connection.inspect}")

# Print a service:
service = connection.system_service.vms_service
puts("service.to_s: #{service.to_s}")
puts("service.inspect: #{service.inspect}")

# Close the connection to the server:
connection.close
--->8---

The result should *not* contain the password, should be the following:

  connection.to_s: #<OvirtSDK4::Connection:https://engine42.local/ovirt-engine/api>
  connection.inspect: #<OvirtSDK4::Connection:https://engine42.local/ovirt-engine/api>
  service.to_s: #<OvirtSDK4::VmsService:vms>
  service.inspect: #<OvirtSDK4::VmsService:vms>

Comment 2 Radim Hrazdil 2017-11-28 21:23:12 UTC
Verified that script suggested by Juan doesn't print out RHEVM credential. Used sdk version 4.2.0.beta2, RHVM 4.1.8.1-0.1.el7.


Note You need to log in before you can comment on or make changes to this bug.