[Engine-patches] Change in ovirt-log-collector[master]: sos: engine: don't collect db passwords

Wed, 11 Dec 2013 12:45:39 -0800 

Sandro Bonazzola has uploaded a new change for review.

Change subject: sos: engine: don't collect db passwords
......................................................................

sos: engine: don't collect db passwords

obfuscate db password in collected configs.
avoid to collect legacy empty files.

Change-Id: I169d47db602584093210bc4795ff64abc22824fc
Bug-Url: https://bugzilla.redhat.com/1035826
Signed-off-by: Sandro Bonazzola <sbona...@redhat.com>
---
M src/sos/plugins/engine.py
1 file changed, 23 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-log-collector 
refs/changes/08/22308/1

diff --git a/src/sos/plugins/engine.py b/src/sos/plugins/engine.py
index 8e206c7..8b74ac9 100644
--- a/src/sos/plugins/engine.py
+++ b/src/sos/plugins/engine.py
@@ -1,4 +1,5 @@
 import os
+import re
 import signal
 import subprocess
 
@@ -9,6 +10,18 @@
 # Class name must be the same as file name and method names must not change
 class engine(sos.plugintools.PluginBase):
     """oVirt related information"""
+
+    DB_PASS_FILES = re.compile(
+        flags=re.VERBOSE,
+        pattern=r"""
+        ^
+        /etc/
+        (rhevm|ovirt-engine)/
+        engine.conf
+        (\.d/.+.conf)?
+        $
+        """
+    )
 
     optionList = [
         (
@@ -63,6 +76,8 @@
                 except OSError as e:
                     self.soslog.error('Unable to send signal to %d' % pid, e)
 
+        self.addForbiddenPath('/etc/ovirt-engine/.pgpass')
+        self.addForbiddenPath('/etc/rhevm/.pgpass')
         # Copy engine config files.
         self.addCopySpec("/etc/ovirt-engine")
         self.addCopySpec("/etc/rhevm")
@@ -91,3 +106,11 @@
             r"Password.type=(.*)",
             r'Password.type=********'
         )
+
+        for filename in self.copiedFiles:
+            if self.DB_PASS_FILES.match(filename):
+                self.doRegexSub(
+                    filename,
+                    r'ENGINE_DB_PASSWORD=(.*)',
+                    r'ENGINE_DB_PASSWORD=********'
+                )


-- 
To view, visit http://gerrit.ovirt.org/22308
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I169d47db602584093210bc4795ff64abc22824fc
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-log-collector
Gerrit-Branch: master
Gerrit-Owner: Sandro Bonazzola <sbona...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to