packaging: setup: Filter from logs secrets from otopi answer files #585
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Sorry, not ready yet. |
didib
force-pushed
the
filter-otopi-answer-file-secrets
branch
2 times, most recently
from
cb139ac
to
a0ff8b4
Compare
didib
requested review from
ahadas,
bennyz,
emesika,
michalskrivanek,
oliel,
sgratch,
smelamud and
ljelinkova
as code owners
didib
force-pushed
the
filter-otopi-answer-file-secrets
branch
2 times, most recently
from
8dd3446
to
8ebd1dd
Compare
didib
added a commit
to didib/ovirt-engine-keycloak
that referenced
this pull request
Aug 11, 2022
didib
added a commit
to didib/ovirt-dwh
that referenced
this pull request
Aug 11, 2022
For details, see oVirt/ovirt-engine#585 . Change-Id: Ided28013bc854474dc18ec4dfd4e20884945f86c Signed-off-by: Yedidyah Bar David <didi@redhat.com>
didib
force-pushed
the
filter-otopi-answer-file-secrets
branch
from
8ebd1dd
to
5bb6c78
Compare
didib
added a commit
to didib/ovirt-engine-keycloak
that referenced
this pull request
Aug 24, 2022
When running engine-setup with an answer file generated by a previous interactive engine-setup, without this patch, we log some secrets unfiltered. Fix this: - Require a new otopi that provides LOG_FILTER_QUESTIONS. - Conflict with older dwh/keycloak that are incompatible with the changes in getCredentials (see below). - Add an attribute 'asked_on' for constants. If a constant is_secret, require setting asked_on, to a list of question names that might change/set it. - Add a field CREDS_Q_NAME_FUNC to the various *DB_ENV_KEYS. This field should point at a function that should return the question name for a particular field. - Change getCredentials to not get a parameter queryprefix for constructing the question names, instead relying on CREDS_Q_NAME_FUNC. - Add functions *question_name for both passing as CREDS_Q_NAME_FUNC and for asked_on. - And finally: Patch filter_secrets.py to also loop over all the constants that set is_secret, and add their asked_on to env[LOG_FILTER_QUESTIONS]. This makes otopi filter out all the answers provided for these questions in answer files. Change-Id: Ibaca2a03f2020750f96ae30a3448ea2ad17fe43c Signed-off-by: Yedidyah Bar David <didi@redhat.com>
didib
force-pushed
the
filter-otopi-answer-file-secrets
branch
from
5bb6c78
to
cb4f5c7
Compare
|
Conflict with older dwh/keycloak that are incompatible with current patch's getCredentials. |
didib
added a commit
to didib/ovirt-engine-keycloak
that referenced
this pull request
Aug 24, 2022
mwperina
pushed a commit
to oVirt/ovirt-dwh
that referenced
this pull request
Aug 24, 2022
For details, see oVirt/ovirt-engine#585 . Change-Id: Ided28013bc854474dc18ec4dfd4e20884945f86c Signed-off-by: Yedidyah Bar David <didi@redhat.com>
mwperina
pushed a commit
to oVirt/ovirt-engine-keycloak
that referenced
this pull request
Aug 24, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When running engine-setup with an answer file generated by a previous
interactive engine-setup, without this patch, we log some secrets
unfiltered. Fix this:
Require a new otopi that provides LOG_FILTER_QUESTIONS.
Add an attribute 'asked_on' for constants. If a constant is_secret,
require setting asked_on, to a list of question names that might
change/set it.
Add a field CREDS_Q_NAME_FUNC to the various *DB_ENV_KEYS. This field
should point at a function that should return the question name for a
particular field.
Change getCredentials to not get a parameter queryprefix for
constructing the question names, instead relying on CREDS_Q_NAME_FUNC.
Add functions *question_name for both passing as CREDS_Q_NAME_FUNC and
for asked_on.
And finally: Patch filter_secrets.py to also loop over all the
constants that set is_secret, and add their asked_on to
env[LOG_FILTER_QUESTIONS]. This makes otopi filter out all the answers
provided for these questions in answer files.
Change-Id: Ibaca2a03f2020750f96ae30a3448ea2ad17fe43c
Signed-off-by: Yedidyah Bar David didi@redhat.com