----- Original Message ----- > From: "Alon Bar-Lev" <alo...@redhat.com> > To: "Eli Mesika" <emes...@redhat.com> > Cc: "Keith Robertson" <krobe...@redhat.com>, "Juan Hernandez" > <jhern...@redhat.com>, "engine-devel" > <engine-devel@ovirt.org>, "pmatouse" <pmato...@redhat.com> > Sent: Sunday, May 5, 2013 10:17:28 AM > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > ----- Original Message ----- > > From: "Eli Mesika" <emes...@redhat.com> > > To: "Keith Robertson" <krobe...@redhat.com>, "Alon Bar-Lev" > > <alo...@redhat.com>, "Juan Hernandez" > > <jhern...@redhat.com> > > Cc: "engine-devel" <engine-devel@ovirt.org>, "pmatouse" > > <pmato...@redhat.com> > > Sent: Sunday, May 5, 2013 10:13:59 AM > > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > ----- Original Message ----- > > > From: "Alon Bar-Lev" <alo...@redhat.com> > > > To: "Keith Robertson" <krobe...@redhat.com> > > > Cc: "Juan Hernandez" <jhern...@redhat.com>, "engine-devel" > > > <engine-devel@ovirt.org>, "pmatouse" <pmato...@redhat.com> > > > Sent: Wednesday, May 1, 2013 9:40:13 PM > > > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Keith Robertson" <krobe...@redhat.com> > > > > To: "Alon Bar-Lev" <alo...@redhat.com> > > > > Cc: "Josh Bressers" <bress...@redhat.com>, "Juan Hernandez" > > > > <jhern...@redhat.com>, "engine-devel" > > > > <engine-devel@ovirt.org>, "pmatouse" <pmato...@redhat.com>, "Sandro > > > > Bonazzola" <sbona...@redhat.com> > > > > Sent: Wednesday, May 1, 2013 9:31:15 PM > > > > Subject: Re: [Engine-devel] Dropping encryption of database password > > > > > > > > On 05/01/2013 02:16 PM, Alon Bar-Lev wrote: > > > > > Thank you. > > > > > This is what I wrote in my initial post. > > > > > The only users who should access this password is ovirt user and root > > > > > user. > > > > > > > > > > Regards, > > > > > Alon Bar-Lev. > > > > > > > > > >> > > > > > Alon, > > > > I agree with the desire to store the PW in plaintext and in a > > > > non-obfuscated manner. In this case, obfuscation really doesn't gain > > > > anything. > > > > > > > > I would suggest; however, that the migration to plaintext be > > > > coordinated > > > > with a simultaneous patch to the the Log Collector. It does have a > > > > dependency on the current architecture. > > > > > > > > Keith > > > > > > > > > > Hi, > > > > > > As far as I know it reads the plain text from .pgpass, we need to modify > > > it > > > to search within the alternate format as well. > > > > We are using the original .pgpass file that is in 0600 mode ( have access > > only to root) > > If the file does not have this mode , it is ignored by Postgres > > I see no security issue in that ... > > > > Please see details in > > http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html > > I am going to drop the .pgpass file in favor of other configuration file and > produce .pgpass on will. > This is because: > 1. The proprietary format of .pgpass is not friendly to parsing. > 2. It does not hold the SSL setting. > 3. It does not hold the SSL host validation setting. > 4. It will be more difficult to modify user password. > > This file is also 0600 owned by engine but in key=value format, so no change > as far as security is concerned.
That's OK from my point .... > > Thanks! > Alon. > > > > > > > > > > > > > Thanks, > > > Alon > > > _______________________________________________ > > > Engine-devel mailing list > > > Engine-devel@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel