Embedded Ansible: Password is exposed in logs when adding credentials

[evertmulder]

When I add a password using Embedded Ansible the password is visible in the logs. This causes security issues.

This is a snippet of the evm log when adding a machine credential with password "supersecret":

[----] I, [2017-05-18T15:52:22.334817 #2798:17d5608]  INFO -- : MIQ(MiqQueue.put) Message id: [2316],  id: [], Zone: [default], Role: [ems_operations], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential.create_in_provider], Timeout: [600], Priority: [20], State: [ready], Deliver On: [], Data: [], Args: [1, {:id=>nil, :name=>"test", :type=>"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential", :password=>"supersecret", :userid=>"username"}]
[----] I, [2017-05-18T15:52:22.334939 #2798:17d5608]  INFO -- : MIQ(MiqTask.generic_action_with_callback) Task: [18] Queued the action: [Creating Ansible Tower Credential (name=test)] being run for user: [system]
[----] I, [2017-05-18T15:52:23.026351 #2418:ce1134]  INFO -- : MIQ(MiqServer#populate_queue_messages) Fetched 2 miq_queue rows for queue_name=generic, wcount=4, priority=200
[----] I, [2017-05-18T15:52:23.533874 #2707:ce1134]  INFO -- : MIQ(MiqPriorityWorker::Runner#get_message_via_drb) Message id: [2315], MiqWorker id: [134], Zone: [default], Role: [smartstate], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [job_dispatcher], Command: [JobProxyDispatcher.dispatch], Timeout: [600], Priority: [20], State: [dequeue], Deliver On: [], Data: [], Args: [], Dequeued in: [3.598951532] seconds
[----] I, [2017-05-18T15:52:23.534010 #2707:ce1134]  INFO -- : Q-task_id([job_dispatcher]) MIQ(MiqQueue#deliver) Message id: [2315], Delivering...
[----] I, [2017-05-18T15:52:23.538904 #2707:ce1134]  INFO -- : Q-task_id([job_dispatcher]) MIQ(JobProxyDispatcher#dispatch) Complete - Timings: {:pending_container_jobs=>0.0024569034576416016, :container_jobs_to_dispatch_count=>0, :container_dispatching=>0.002472400665283203, :pending_vm_jobs=>0.0006234645843505859, :vm_jobs_to_dispatch_count=>0, :total_time=>0.004611492156982422}
[----] I, [2017-05-18T15:52:23.539211 #2707:ce1134]  INFO -- : Q-task_id([job_dispatcher]) MIQ(MiqQueue#delivered) Message id: [2315], State: [ok], Delivered in [0.005207691] seconds
[----] I, [2017-05-18T15:52:23.553808 #2707:ce1134]  INFO -- : MIQ(MiqPriorityWorker::Runner#get_message_via_drb) Message id: [2316], MiqWorker id: [134], Zone: [default], Role: [ems_operations], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential.create_in_provider], Timeout: [600], Priority: [20], State: [dequeue], Deliver On: [], Data: [], Args: [1, {:id=>nil, :name=>"test", :type=>"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential", :password=>"supersecret", :userid=>"username"}], Dequeued in: [1.226143523] seconds
[----] I, [2017-05-18T15:52:23.554050 #2707:ce1134]  INFO -- : MIQ(MiqQueue#deliver) Message id: [2316], Delivering...
[----] I, [2017-05-18T15:52:23.658063 #2707:ce1134]  INFO -- : MIQ(ManageIQ::Providers::EmbeddedAnsible::Provider#with_provider_connection) Connecting through ManageIQ::Providers::EmbeddedAnsible::Provider: [Embedded Ansible]
[----] I, [2017-05-18T15:52:23.674300 #2707:ce1134]  INFO -- : MIQ(ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential.notify) ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential in_provider creation with parameters: {:id=>nil, :name=>"test", :type=>"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential", :password=>"******", :username=>"username", :kind=>"ssh", :organization=>nil} succeeded

[AparnaKarve]

@jameswnl This seems identical to what we discussed a while back.

@evertmulder #15084 should resolve this issue, I believe.

[jameswnl]

@AparnaKarve , yes it should.
@evertmulder let me know if it's not.

thanks
James

[evertmulder]

Applied #15084 on the fine-1 release. This indeed fixes the issue. 👍

I will close this issue.

[----] I, [2017-05-23T17:03:59.250054 #5740:1131554]  INFO -- : MIQ(MiqQueue.put) Message id: [5085],  id: [], Zone: [default], Role: [ems_operations], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential.create_in_provider], Timeout: [600], Priority: [20], State: [ready], Deliver On: [], Data: [], Args: [1, {:id=>nil, :name=>"testtest", :type=>"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential", :password=>"********", :userid=>"test"}]
[----] I, [2017-05-23T17:04:03.773073 #5642:9b5140]  INFO -- : MIQ(MiqPriorityWorker::Runner#get_message_via_drb) Message id: [5085], MiqWorker id: [196], Zone: [default], Role: [ems_operations], Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential.create_in_provider], Timeout: [600], Priority: [20], State: [dequeue], Deliver On: [], Data: [], Args: [1, {:id=>nil, :name=>"testtest", :type=>"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential", :password=>"********", :userid=>"test"}], Dequeued in: [4.529730067] seconds