[one-users] auth - stop showing clear password on the logs

Fri May 11 14:41:39 PDT 2012

Hi

Thanks for the feedback!.  Some comments inlined...

> You're right: configuring  DEBUG_LEVEL to 0 stopped that behavior (showing
> clear password on the logs)
>
> a few issues more:
>
> ---------
> 1- one_auth_mad.rb didn't deal well with passwords (secret) with special
> characters like "$" ou "&". Surrounding the "secret" variable with the (')
> character seems to fix that. The code line now looks like this:
>

There is a patch for this, you can take a look at the commit at:

http://dev.opennebula.org/issues/1252

We are testing this one, so any feedback would be great ;)

> ---------
> 2- In case of a wrong (LDAP) password, Sunstone gives the following error
> message:

Totally agree a more descriptive messages should be given to the user.
I've already filled a bug for this one:

http://dev.opennebula.org/issues/1274

>
> ---------
> 3- I would like to set  the DEBUG_LEVEL to 3 again but really don't want
> passwords going to the logs. Is this possible? Where should I tune the
> system? one_auth_mad.rb? The "run" shell command method, filtering out the
> problematic cases? Where can I find the "run" method?

The following takes care of the execution of the command, and outputs
stdout/stderr from the command

rc = LocalCommand.run(command, log_method(request_id))

Could you try to use

rc = LocalCommand.run(command, nil)

I've not tested this one, but it may work ;)

Cheers

Ruben

>
> Cheers,
> João
>
>
> On Fri, 11 May 2012 00:05:34 +0200, Ruben S. Montero wrote:
>>
>> Hi
>>
>> You may try to change the "verbosity" of the DEBUG messages in
>> oned.conf.  DEBUG_LEVEL=0 will only output ERROR messages (those
>> labeled) with [E]. Once you have deployed and tuned the infrastructure
>> it may be a good idea to decrease the debug messages to ERROR/WARNING
>> level.
>>
>> Cheers
>>
>> Ruben
>>
>> On Thu, May 10, 2012 at 8:50 PM, João Pagaime <jpsp at fccn.pt> wrote:
>>>
>>> Hello all
>>>
>>> could somebody show where to change open-nebula for it to stop showing
>>> clear
>>> text passords?
>>>
>>> probably somewhere on the code...
>>>
>>> it is showing clear text passords for some cases of Sunstone LDAP auth
>>> errors (as shown bellow)
>>>
>>> --------------
>>> Thu May 10 19:20:02 2012 [ReM][D]: UserInfo method invoked
>>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: LOG I 2 Command
>>> execution f
>>> ail: /var/lib/one/remotes/auth/default/authenticate 'USER' '-' PASSWORD
>>>
>>> Thu May 10 19:20:02 2012 [AuM][I]: Command execution fail:
>>> /var/lib/one/remotes/auth/default/authenticate 'USER' '-' PASSWORD
>>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: LOG I 2 User USER
>>> not
>>> found
>>>
>>> Thu May 10 19:20:02 2012 [AuM][I]: User USER not found
>>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: LOG I 2 ExitCode:
>>> 255
>>>
>>> Thu May 10 19:20:02 2012 [AuM][I]: ExitCode: 255
>>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: AUTHENTICATE FAILURE
>>> 2
>>> -
>>>
>>> Thu May 10 19:20:02 2012 [AuM][E]: Auth Error:
>>> Thu May 10 19:20:02 2012 [ReM][E]: [UserInfo] User couldn't be
>>> authenticated, aborting call.
>>> ----------------------
>>>
>>> maybe it would be a good ideia to ship the production versions without
>>> this
>>> behavior
>>>
>>> cheers
>>> João
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
> --
> João Pagaime
> FCCN - Área de Infra-estruturas Aplicacionais
> Av. do Brasil, n.º 101 - Lisboa
> Telef. +351 218440100  Fax +351 218472167
> www.fccn.pt
>
> Aviso de Confidencialidade/Disclaimer
> Esta mensagem é exclusivamente destinada ao seu destinatário, podendo
> conter informação CONFIDENCIAL, cuja divulgação está expressamente
> vedada nos termos da lei. Caso tenha recepcionado indevidamente esta
> mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta
> via ou para o telefone +351 218440100 devendo apagar o seu conteúdo de
> imediato. This message is intended exclusively for its addressee. It may
> contain CONFIDENTIAL information protected by law. If this message has
> been received by error, please notify us via e-mail or by telephone +351
> 218440100 and delete it immediately.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula