[
https://issues.apache.org/jira/browse/CLOUDSTACK-6252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13958739#comment-13958739
]
Wilder Rodrigues commented on CLOUDSTACK-6252:
----------------------------------------------
Hi John,
I looked further into this issue and also went through db.properties file and
installation guide. So far I have realised the following:
0. In the installation guide
(http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/latest/installation.html?highlight=encryption#about-password-key-encryption)
it's suggested that we don't have to do anything to get data encryption. There
is a note - "These values are always automatically encrypted" - However, we
have to manually execute the script.
1. DB passwords will only be encrypted if the cloudstack-setup-databases script
is executed
2. The key db.cloud.encryption.type will only be present if the db.properties
if the cloudstack-setup-databases is executed
3. When the key db.cloud.encryption.type is not present or empty, the check()
method in the EncryptionSecretKeyChecker simply returns (no exception thrown)
4. On the HostDetailsDaoImpl, the persist() method will not encrypt the
password because the call to "value = DBEncryptionUtil.encrypt(value)" returns
the plain password.
in my case, whilst testing the ACS 4.3 RC, I just followed the procedures for
tests and did not execute the cloudstack-setup-databases script. That said, I
understand that it's not entirely a bug. However, the step explained in the
installation guide concerning encryption, is really simple (e.g. just execute
the script with few parameters). Perhaps we could do it automatically and have
data encryption enabled by default.. So, if the administrator, by any reason,
does not want encryption, (s)he should disable it.
What do you think?
Looking to hear from you.
Cheers,
Wilder
> Host password is stored in the database in the clear
> ----------------------------------------------------
>
> Key: CLOUDSTACK-6252
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6252
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: Future
> Environment: Management Server running on Debian 7
> DevCloud running on XenServer 6.2
> Reporter: Wilder Rodrigues
> Assignee: Wilder Rodrigues
>
> Via the Management Server UI, when creating an advanced Zone and adding a
> host to it, the host password is stored in the database in the clear.
> All passwords should be encrypted before stored.
> Check details below:
> mysql> select * from host_details;
> +----+---------+----------------------------------------------------+----------------------------------------+
> | id | host_id | name | value
> |
> +----+---------+----------------------------------------------------+----------------------------------------+
> | 1 | 1 | product_version | 6.2.0
> |
> | 2 | 1 | com.cloud.network.Networks.RouterPrivateIpStrategy |
> DcGlobal |
> | 3 | 1 | private.network.device |
> Pool-wide network associated with eth0 |
> | 4 | 1 | Hypervisor.Version | 4.1.5
> |
> | 5 | 1 | Host.OS |
> XenServer |
> | 6 | 1 | Host.OS.Kernel.Version |
> 2.6.32.43-0.4.1.xs1.8.0.835.170778xen |
> | 7 | 1 | wait | 600
> |
> | 8 | 1 | password |
> changeme |
> | 9 | 1 | url |
> 10.1.1.203 |
> | 10 | 1 | username | root
> |
> | 11 | 1 | xs620_snapshot_hotfix | false
> |
> | 12 | 1 | product_brand |
> XenServer |
> | 13 | 1 | product_version_text_short | 6.2
> |
> | 14 | 1 | Host.OS.Version | 6.2.0
> |
> | 15 | 1 | instance.name | VM
> |
> +----+---------+----------------------------------------------------+----------------------------------------+
--
This message was sent by Atlassian JIRA
(v6.2#6252)
