Alon Bar-Lev has uploaded a new change for review. Change subject: db: drop the obfuscation of database password ......................................................................
db: drop the obfuscation of database password full up the /etc/ovirt-engine/engine.conf.d/10-setup-database.conf with all database parameters as distinct parameters, to ease future read. Change-Id: I1da760e32ddef238324fe9889c1675de518d0c64 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=958532 Signed-off-by: Alon Bar-Lev <[email protected]> --- M Makefile M backend/manager/tools/src/main/java/org/ovirt/engine/core/tools/common/db/StandaloneDataSource.java M ovirt-engine.spec.in D packaging/bin/engine-encrypt-passwd.sh M packaging/fedora/setup/common_utils.py M packaging/fedora/setup/engine-setup.py M packaging/fedora/setup/engine-upgrade.py M packaging/services/ovirt-engine.py M packaging/services/ovirt-engine.xml.in 9 files changed, 71 insertions(+), 107 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/68/14568/1 diff --git a/Makefile b/Makefile index 0539b13..d604d72 100644 --- a/Makefile +++ b/Makefile @@ -378,9 +378,6 @@ install -m 750 packaging/bin/engine-manage-domains.sh $(DESTDIR)$(DATA_DIR)/bin ln -sf $(DATA_DIR)/bin/engine-manage-domains.sh $(DESTDIR)$(BIN_DIR)/engine-manage-domains - # Script to encrypt passwords: - install -m 750 packaging/bin/engine-encrypt-passwd.sh $(DESTDIR)$(DATA_DIR)/bin - # Install man pages install -m 644 packaging/man/engine-manage-domains.8 $(DESTDIR)$(MAN_DIR)/man8/ diff --git a/backend/manager/tools/src/main/java/org/ovirt/engine/core/tools/common/db/StandaloneDataSource.java b/backend/manager/tools/src/main/java/org/ovirt/engine/core/tools/common/db/StandaloneDataSource.java index 83f8146..2ae6549 100644 --- a/backend/manager/tools/src/main/java/org/ovirt/engine/core/tools/common/db/StandaloneDataSource.java +++ b/backend/manager/tools/src/main/java/org/ovirt/engine/core/tools/common/db/StandaloneDataSource.java @@ -48,12 +48,6 @@ user = config.getProperty(ENGINE_DB_USER); password = config.getProperty(ENGINE_DB_PASSWORD); - // The password is encrypted inside the file, so we need to decrypt it here: - password = EncryptionUtils.decode(password, "", ""); - if (password == null) { - throw new SQLException("Failed to decrypt password from parameter \"" + ENGINE_DB_PASSWORD + "\"."); - } - // Load the driver: try { Class.forName(driver); diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in index 490dbe4..11bfb7d 100644 --- a/ovirt-engine.spec.in +++ b/ovirt-engine.spec.in @@ -718,7 +718,6 @@ # Scripts: %{engine_data}/bin/engine-config.sh -%{engine_data}/bin/engine-encrypt-passwd.sh %{engine_data}/bin/engine-manage-domains.sh %{engine_data}/bin/engine-prolog.sh diff --git a/packaging/bin/engine-encrypt-passwd.sh b/packaging/bin/engine-encrypt-passwd.sh deleted file mode 100755 index 6397126..0000000 --- a/packaging/bin/engine-encrypt-passwd.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -JBOSS_HOME="${JBOSS_HOME:-/usr/share/jboss-as}" -export CLASSPATH="" -export JAVA_MODULEPATH="${JBOSS_HOME}/modules" - -# Load the prolog, not during installation -[ -z "${ENGINE_CONFIG_IGNORE}" ] && \ - . "$(dirname "$(readlink -f "$0")")"/engine-prolog.sh - -die () { - printf >&2 "$@" - exit 1 -} - -usage () { - printf "engine-encrypt-passwd.sh - Generate a an encrypted password from the plain-text password given.\n" - printf "Usage: \n" - printf "engine-encrypt-passwd.sh [Plain-Text-Password]\n" - printf "Where:\n" - printf "Plain-Text-Password = The password to encrypt in plain text.\n" - return 0 -} - -if [ ! "$#" -eq 1 ]; then - usage - die "Error: wrong argument number: $#.\n" -fi - -exec "${JAVA_HOME}/bin/java" \ - -Djboss.modules.write-indexes=false \ - -jar "${JBOSS_HOME}/jboss-modules.jar" \ - -dependencies org.picketbox \ - -class org.picketbox.datasource.security.SecureIdentityLoginModule \ - "$@" diff --git a/packaging/fedora/setup/common_utils.py b/packaging/fedora/setup/common_utils.py index 51ca5a0..b51807c 100755 --- a/packaging/fedora/setup/common_utils.py +++ b/packaging/fedora/setup/common_utils.py @@ -1265,39 +1265,18 @@ chownToEngine(basedefs.FILE_ENGINE_CONF_PKI) os.chmod(basedefs.FILE_ENGINE_CONF_PKI, 0o640) -def encryptEngineDBPass(password, maskList): - """ - Encryptes the jboss postgres db password - and store it in conf - """ - #run encrypt tool on user give password - if (os.path.exists(basedefs.EXEC_ENCRYPT_PASS)): - cmd = [ - basedefs.EXEC_ENCRYPT_PASS, password, - ] - - # The encrypt tool needs the jboss home env set - # Since we cant use the bash way, we need to set it as environ - os.environ["JBOSS_HOME"] = basedefs.DIR_ENGINE - output, rc = execCmd(cmdList=cmd, failOnError=True, msg=output_messages.ERR_EXP_ENCRYPT_PASS, maskList=maskList) - - #parse the encrypted password from the tool - return parseStrRegex(output, "Encoded password:\s*(.+)", output_messages.ERR_EXP_PARSING_ENCRYPT_PASS) - else: - raise Exception(output_messages.ERR_ENCRYPT_TOOL_NOT_FOUND) - -def editEngineSysconfigDatabase(dbUrl, password): - """ - Push the encrypted password into the local configuration file. - """ - logging.debug("Encrypting database password.") +def editEngineSysconfigDatabase(dbUrl, host, ssl, database, port, user, password): handler = TextConfigFileHandler(basedefs.FILE_ENGINE_CONF_DATABASE, readExisting=False) handler.open() - handler.editParam("ENGINE_DB_USER", getDbUser()) + handler.editParam("ENGINE_DB_HOST", host) + handler.editParam("ENGINE_DB_PORT", port) + handler.editParam("ENGINE_DB_DATABASE", database) + handler.editParam("ENGINE_DB_USER", user) handler.editParam("ENGINE_DB_PASSWORD", password) handler.editParam("ENGINE_DB_DRIVER", "org.postgresql.Driver") + handler.editParam("ENGINE_DB_SECURED", ssl) + handler.editParam("ENGINE_DB_SECURED_VALIDATION", False) handler.editParam("ENGINE_DB_URL", dbUrl) - handler.close() chownToEngine(basedefs.FILE_ENGINE_CONF_DATABASE) diff --git a/packaging/fedora/setup/engine-setup.py b/packaging/fedora/setup/engine-setup.py index 332d502..6071116 100755 --- a/packaging/fedora/setup/engine-setup.py +++ b/packaging/fedora/setup/engine-setup.py @@ -131,7 +131,7 @@ 'condition' : [_isDbAlreadyInstalled], 'condition_match' : [True], 'steps' : [ { 'title' : output_messages.INFO_SET_DB_SECURITY, - 'functions' : [_encryptDBPass, _editSysconfigDatabase] }, + 'functions' : [_editSysconfigDatabase] }, { 'title' : output_messages.INFO_UPGRADE_DB, 'functions' : [stopRhevmDbRelatedServices, _upgradeDB, _setApplicationMode, startRhevmDbRelatedServices]} ] }, @@ -139,7 +139,7 @@ 'condition' : [_isDbAlreadyInstalled], 'condition_match' : [False], 'steps' : [ { 'title' : output_messages.INFO_SET_DB_SECURITY, - 'functions' : [_encryptDBPass, _editSysconfigDatabase]}, + 'functions' : [_editSysconfigDatabase]}, { 'title' : output_messages.INFO_CREATE_DB, 'functions' : [_createDB, _updateVDCOptions, _setApplicationMode]}, { 'title' : output_messages.INFO_UPD_DC_TYPE, @@ -1465,15 +1465,6 @@ return pgData -def _encryptDBPass(): - """ - Encryptes the postgres db password - and store it in conf - """ - #run encrypt tool on user given password - controller.CONF["ENCRYPTED_DB_PASS"] = utils.encryptEngineDBPass(password=controller.CONF["DB_PASS"], - maskList=masked_value_set) - def _verifyUserPermissions(): username = pwd.getpwuid(os.getuid())[0] if os.geteuid() != 0: @@ -2136,11 +2127,13 @@ Push the encrypted password into the local configuration file. """ try: - dbUrl = "jdbc:postgresql://" + getDbHostName() + ":" + getDbPort() + "/" + basedefs.DB_NAME - if "DB_SECURE_CONNECTION" in controller.CONF.keys() and controller.CONF["DB_SECURE_CONNECTION"] == "yes": - dbUrl = dbUrl + "?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" + dbUrl = "jdbc:postgresql://${ENGINE_DB_HOST}:${ENGINE_DB_PORT}/${ENGINE_DB_DATABASE}" + if controller.CONF.get("DB_SECURE_CONNECTION", None) == "yes": + dbUrl += "?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" - utils.editEngineSysconfigDatabase(dbUrl=dbUrl, password=controller.CONF["ENCRYPTED_DB_PASS"]) + utils.editEngineSysconfigDatabase(dbUrl=dbUrl, host=getDbHostName(), port=getDbPort(), + database=basedefs.DB_NAME, ssl=controller.CONF.get("DB_SECURE_CONNECTION", None) == "yes", + user=utils.getDbUser(), password=controller.CONF["DB_PASS"]) except: logging.error("ERROR Editing engine local configuration file.") logging.error(traceback.format_exc()) diff --git a/packaging/fedora/setup/engine-upgrade.py b/packaging/fedora/setup/engine-upgrade.py index 1144683..cbdd7a1 100755 --- a/packaging/fedora/setup/engine-upgrade.py +++ b/packaging/fedora/setup/engine-upgrade.py @@ -4,6 +4,7 @@ import sys import os import signal +import glob import shutil import logging import traceback @@ -1167,6 +1168,54 @@ ) +def updateDatabaseConf(): + """ + assume the password in .pgpass was correct + just replace all ENGINE_DB_PASSWORD to that password + """ + for config in ( + [basedefs.FILE_ENGINE_CONF] + + glob.glob(os.path.join(basedefs.DIR_ENGINE_CONF, "*.conf")) + ): + if os.path.exists(config): + handler = utils.TextConfigFileHandler(config) + handler.open() + if handler.getParam("ENGINE_DB_PASSWORD") is not None: + handler.editParam( + "ENGINE_DB_PASSWORD", + '"%s"' % utils.getDbPassword(SERVER_ADMIN) + ) + if handler.getParam("ENGINE_DB_SECURED") is None: + handler.editParam( + "ENGINE_DB_SECURED", + "%s" % 'ssl=true' in handler.getParam("ENGINE_DB_URL") + ) + if handler.getParam("ENGINE_DB_SECURED_VALIDATION") is None: + handler.editParam( + "ENGINE_DB_SECURED_VALIDATION", + False, + ) + if handler.getParam("ENGINE_DB_HOST") is None: + handler.editParam( + "ENGINE_DB_HOST", + SERVER_NAME, + ) + if handler.getParam("ENGINE_DB_PORT") is None: + handler.editParam( + "ENGINE_DB_PORT", + SERVER_PORT, + ) + if handler.getParam("ENGINE_DB_DATABASE") is None: + handler.editParam( + "ENGINE_DB_DATABASE", + basedefs.DB_NAME, + ) + + handler.close() + utils.chownToEngine(config) + os.chmod(config, 0o640) + + def main(options): # BEGIN: PROCESS-INITIALIZATION miniyumsink = utils.MiniYumSink() @@ -1209,7 +1258,7 @@ stopEngineService = [stopEngine] startEngineService = [startEngine] preupgradeFunc = [preupgradeUUIDCheck] - upgradeFunc = [rhyum.update, generateEngineConf, setupVarPrivileges, + upgradeFunc = [rhyum.update, updateDatabaseConf, generateEngineConf, setupVarPrivileges, updateHttpdConf, utils.editEngineSysconfigPKI, ] postFunc = [modifyUUIDs, ca.commit, runPost, deleteEngineSysconfig] diff --git a/packaging/services/ovirt-engine.py b/packaging/services/ovirt-engine.py index 4fc72d2..d8a4441 100755 --- a/packaging/services/ovirt-engine.py +++ b/packaging/services/ovirt-engine.py @@ -34,12 +34,14 @@ def __init__(self): super(Daemon, self).__init__() - def _processTemplate(self, template, dir): + def _processTemplate(self, template, dir, mode=None): out = os.path.join( dir, re.sub('\.in$', '', os.path.basename(template)), ) with open(out, 'w') as f: + if mode is not None: + os.chmod(out, mode) f.write(str(Template(file=template, searchList=[self._config]))) return out @@ -285,6 +287,7 @@ 'ovirt-engine.xml.in', ), dir=self._config.getString('ENGINE_TMP'), + mode=0o600, ) jbossModulesTmpDir = self._linkModules( diff --git a/packaging/services/ovirt-engine.xml.in b/packaging/services/ovirt-engine.xml.in index 6d02750..eb39d2d 100644 --- a/packaging/services/ovirt-engine.xml.in +++ b/packaging/services/ovirt-engine.xml.in @@ -113,11 +113,8 @@ <prefill>true</prefill> </pool> <security> - #if $getString('ENGINE_DB_PASSWORD') - <security-domain>EncryptDBPassword</security-domain> - #else - <user-name><![CDATA[$getString('ENGINE_DB_USER')]]></user-name> - #end if + <user-name><![CDATA[$getString('ENGINE_DB_USER')]]></user-name> + <password><![CDATA[$getString('ENGINE_DB_PASSWORD')]]></password> </security> <statement> <prepared-statement-cache-size>100</prepared-statement-cache-size> @@ -245,18 +242,6 @@ <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"/> </authentication> </security-domain> - - #if $getString('ENGINE_DB_PASSWORD') - <security-domain name="EncryptDBPassword"> - <authentication> - <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required"> - <module-option name="username" value="$getString('ENGINE_DB_USER')"/> - <module-option name="password" value="$getString('ENGINE_DB_PASSWORD')"/> - <module-option name="managedConnectionFactoryName" value="jboss.jca:name=ENGINEDataSource,service=LocalTxCM"/> - </login-module> - </authentication> - </security-domain> - #end if </security-domains> </subsystem> -- To view, visit http://gerrit.ovirt.org/14568 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1da760e32ddef238324fe9889c1675de518d0c64 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
