[cluster] enable crm_report password scrubbing

Default to specifying a password pattern of 'passw.*' when calling
the crm_report script. This causes matching strings to be elided
from the report data.

Since this scrubbing can affect the use of pacemaker state machine
snapshots for debugging the behaviour is controlled by a new option
that defaults to enabled: cluster.crm_scrub

This can be used to obtain an sosreport containing virgin crm_report
data with no password scrubbing:

  # sosreport -k cluster.crm_scrub=False

Signed-off-by: Shane Bradley <sbradley@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>

sos/plugins/cluster.py

@@ -25,10 +25,12 @@ class Cluster(Plugin, RedHatPlugin):
 
     plugin_name = 'cluster'
     profiles = ('cluster',)
+
     option_list = [
         ("gfs2lockdump", 'gather output of gfs2 lockdumps', 'slow', False),
         ("crm_from", 'specify the start time for crm_report', 'fast', False),
-        ('lockdump', 'gather dlm lockdumps', 'slow', False)
+        ('lockdump', 'gather dlm lockdumps', 'slow', False),
+        ('crm_scrub', 'enable password scrubbing for crm_report', '', True),
     ]
 
     packages = [
@@ -112,8 +114,14 @@ def setup(self):
                     "default" % self.get_option('crm_from'))
 
         crm_dest = self.get_cmd_output_path(name='crm_report', make=False)
-        self.add_cmd_output('crm_report -S -d --dest %s --from "%s"'
-                            % (crm_dest, crm_from))
+        crm_scrub = '-p "passw.*"'
+        if not self.get_option("crm_scrub"):
+            crm_scrub = ''
+            self._log_warn("scrubbing of crm passwords has been disabled:")
+            self._log_warn("data collected by crm_report may contain"
+                           " sensitive values.")
+        self.add_cmd_output('crm_report %s -S -d --dest %s --from "%s"'
+                            % (crm_scrub, crm_dest, crm_from))
 
     def do_lockdump(self):
         if self._mount_debug():