----- Original Message ----- > From: "Alon Bar-Lev" <[email protected]> > To: "Eli Mesika" <[email protected]> > Cc: "Keith Robertson" <[email protected]>, "Juan Hernandez" > <[email protected]>, "engine-devel" > <[email protected]>, "pmatouse" <[email protected]> > Sent: Sunday, May 5, 2013 10:17:28 AM > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > ----- Original Message ----- > > From: "Eli Mesika" <[email protected]> > > To: "Keith Robertson" <[email protected]>, "Alon Bar-Lev" > > <[email protected]>, "Juan Hernandez" > > <[email protected]> > > Cc: "engine-devel" <[email protected]>, "pmatouse" > > <[email protected]> > > Sent: Sunday, May 5, 2013 10:13:59 AM > > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > ----- Original Message ----- > > > From: "Alon Bar-Lev" <[email protected]> > > > To: "Keith Robertson" <[email protected]> > > > Cc: "Juan Hernandez" <[email protected]>, "engine-devel" > > > <[email protected]>, "pmatouse" <[email protected]> > > > Sent: Wednesday, May 1, 2013 9:40:13 PM > > > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Keith Robertson" <[email protected]> > > > > To: "Alon Bar-Lev" <[email protected]> > > > > Cc: "Josh Bressers" <[email protected]>, "Juan Hernandez" > > > > <[email protected]>, "engine-devel" > > > > <[email protected]>, "pmatouse" <[email protected]>, "Sandro > > > > Bonazzola" <[email protected]> > > > > Sent: Wednesday, May 1, 2013 9:31:15 PM > > > > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > On 05/01/2013 02:16 PM, Alon Bar-Lev wrote: > > > > > Thank you. > > > > > This is what I wrote in my initial post. > > > > > The only users who should access this password is ovirt user and root > > > > > user. > > > > > > > > > > Regards, > > > > > Alon Bar-Lev. > > > > > > > > > >> > > > > > Alon, > > > > I agree with the desire to store the PW in plaintext and in a > > > > non-obfuscated manner. In this case, obfuscation really doesn't gain > > > > anything. > > > > > > > > I would suggest; however, that the migration to plaintext be > > > > coordinated > > > > with a simultaneous patch to the the Log Collector. It does have a > > > > dependency on the current architecture. > > > > > > > > Keith > > > > > > > > > > Hi, > > > > > > As far as I know it reads the plain text from .pgpass, we need to modify > > > it > > > to search within the alternate format as well. > > > > We are using the original .pgpass file that is in 0600 mode ( have access > > only to root) > > If the file does not have this mode , it is ignored by Postgres > > I see no security issue in that ... > > > > Please see details in > > http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html > > I am going to drop the .pgpass file in favor of other configuration file and > produce .pgpass on will. > This is because: > 1. The proprietary format of .pgpass is not friendly to parsing. > 2. It does not hold the SSL setting. > 3. It does not hold the SSL host validation setting. > 4. It will be more difficult to modify user password. > > This file is also 0600 owned by engine but in key=value format, so no change > as far as security is concerned.
That's OK from my point .... > > Thanks! > Alon. > > > > > > > > > > > > > Thanks, > > > Alon > > > _______________________________________________ > > > Engine-devel mailing list > > > [email protected] > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > _______________________________________________ Engine-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-devel
