Sandro Bonazzola has uploaded a new change for review. Change subject: sos: engine: don't collect db passwords ......................................................................
sos: engine: don't collect db passwords obfuscate sensitive keys in collected configs. avoid to collect legacy empty files. Change-Id: I169d47db602584093210bc4795ff64abc22824fc Bug-Url: https://bugzilla.redhat.com/1035826 Signed-off-by: Sandro Bonazzola <[email protected]> (cherry picked from commit 2122d59b43af58bf72f2e7bc2b614735f9362f24) (cherry picked from commit 0a858e64ed2b4145982e257d8c7802048b7fd2af) --- M src/__main__.py M src/config.py.in.in M src/sos/plugins/engine.py 3 files changed, 72 insertions(+), 4 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-log-collector refs/changes/84/23984/1 diff --git a/src/__main__.py b/src/__main__.py index 6fef027..2ea3eb9 100755 --- a/src/__main__.py +++ b/src/__main__.py @@ -768,6 +768,16 @@ class ENGINEData(CollectorBase): + def prep(self): + CollectorBase.prep(self) + engine_service_config = configfile.ConfigFile([ + config.ENGINE_SERVICE_DEFAULTS, + ]) + if engine_service_config.get('SENSITIVE_KEYS'): + self.configuration['sensitive_keys'] = engine_service_config.get( + 'SENSITIVE_KEYS' + ).replace(',', ':') + def build_options(self): """ returns the parameters for sosreport execution on the local host @@ -776,9 +786,16 @@ opts = [ "-k rpm.rpmva=off", "-k general.all_logs=True", - "-k apache.log=True" + "-k apache.log=True", ] + if self.configuration.get('sensitive_keys'): + opts.append( + '-k engine.sensitive_keys=%s' % self.configuration.get( + 'sensitive_keys' + ) + ) + if self.configuration.get("ticket_number"): opts.append( "--ticket-number=%s" % self.configuration.get("ticket_number") diff --git a/src/config.py.in.in b/src/config.py.in.in index 0548fdd..e75d5bf 100644 --- a/src/config.py.in.in +++ b/src/config.py.in.in @@ -11,6 +11,14 @@ ENGINE_DEFAULTS = "@datadir_POST@/conf/engine.conf.defaults" ENGINE_CONF = "@engineconfigdir_POST@/engine.conf" +ENGINE_SERVICE_DEFAULTS = os.path.join( + '@datadir_POST@', + 'ovirt-engine', + 'services', + 'ovirt-engine', + 'ovirt-engine.conf' +) + DEFAULT_CA_PEM = "@sysconfdir_POST@/pki/ovirt-engine/ca.pem" DEFAULT_SSH_KEY = "@sysconfdir_POST@/pki/ovirt-engine/keys/engine_id_rsa" DEFAULT_CONFIGURATION_FILE = "@engineconfigdir_POST@/logcollector.conf" diff --git a/src/sos/plugins/engine.py b/src/sos/plugins/engine.py index 8e206c7..a06c67e 100644 --- a/src/sos/plugins/engine.py +++ b/src/sos/plugins/engine.py @@ -1,4 +1,5 @@ import os +import re import signal import subprocess @@ -10,12 +11,35 @@ class engine(sos.plugintools.PluginBase): """oVirt related information""" + DB_PASS_FILES = re.compile( + flags=re.VERBOSE, + pattern=r""" + ^ + /etc/ + (rhevm|ovirt-engine)/ + engine.conf + (\.d/.+.conf)? + $ + """ + ) + + DEFAULT_SENSITIVE_KEYS = ( + 'ENGINE_DB_PASSWORD:ENGINE_PKI_TRUST_STORE_PASSWORD:' + 'ENGINE_PKI_ENGINE_STORE_PASSWORD' + ) + optionList = [ ( 'jbosstrace', 'Enable oVirt Engine JBoss stack trace generation', '', True + ), + ( + 'sensitive_keys', + 'Sensitive keys to be masked', + '', + DEFAULT_SENSITIVE_KEYS ), ] @@ -63,6 +87,8 @@ except OSError as e: self.soslog.error('Unable to send signal to %d' % pid, e) + self.addForbiddenPath('/etc/ovirt-engine/.pgpass') + self.addForbiddenPath('/etc/rhevm/.pgpass') # Copy engine config files. self.addCopySpec("/etc/ovirt-engine") self.addCopySpec("/etc/rhevm") @@ -77,17 +103,34 @@ def postproc(self): """ - Obfuscate passwords. + Obfuscate sensitive keys. """ - self.doRegexSub( "/etc/ovirt-engine/engine-config/engine-config.properties", r"Password.type=(.*)", r'Password.type=********' ) - self.doRegexSub( "/etc/rhevm/rhevm-config/rhevm-config.properties", r"Password.type=(.*)", r'Password.type=********' ) + + if self.getOption('sensitive_keys'): + sensitive_keys = self.getOption('sensitive_keys') + if self.getOption('sensitive_keys') is True: + #Handle --alloptions case which set this to True. + sensitive_keys = self.DEFAULT_SENSITIVE_KEYS + key_list = [x for x in sensitive_keys.split(':') if x] + for filename in self.copiedFiles: + if self.DB_PASS_FILES.match(filename['srcpath']): + for key in key_list: + self.doRegexSub( + filename['srcpath'], + r'{key}=(.*)'.format( + key=key, + ), + r'{key}=********'.format( + key=key, + ) + ) -- To view, visit http://gerrit.ovirt.org/23984 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I169d47db602584093210bc4795ff64abc22824fc Gerrit-PatchSet: 1 Gerrit-Project: ovirt-log-collector Gerrit-Branch: ovirt-log-collector-3.3 Gerrit-Owner: Sandro Bonazzola <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
