StarlingX

subcloud collect fails if sysadmin password has a special character

Bug #2072394 reported by Eric MacDonald
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Eric MacDonald

Bug Description

Brief Description:
------------------
Collecting from a subcloud using a user account with a password containing special characters
such as $, [, ], /, or " will fail due to an "Invalid Password" error.

This issue arises because an additional escape character ({}) is being added, which results in a corrupted password being sent to the subcloud.

The problem occurs in two stages:

1. When the collect command is initially invoked by the user, the first escape character(s) are added to the special character(s) in the password.

2. The collect command then initiates a secondary call targeted at the subcloud. During this process, the already escaped password is sent to the subcloud via a temporary file using the --file option. When collect runs on the subcloud, it adds another layer of escaping to the password, leading to corruption and the subsequent "Invalid Password" error.

To resolve this issue, the collect tool needs to be modified to preserve the original user password so it can be passed to the subcloud allowing collect on the subcloud to do its password escape thereby avoiding the double escape that leads to an invalid password.

Severity:
---------

Minor: Special characters in passwords are relatively rare and there is
       a easy work around by simply changing the user password to remove
       the problematic special character.

Steps to Reproduce:
-------------------

Change the sysadmin password to include one or more of the following special characters ; $, [, ], \, or "

Expected Behavior:
------------------
Collect subcloud succeeds.

Actual Behavior:
---------------
Collect of subcloud is rejected due to invalid password.

Reproducibility:
----------------
100% reproducible with the reproducibility steps.

System Configuration:
---------------------
DC system with subcloud(s).

Load info (eg: 2022-03-10_20-00-07):
-----------------------------------
Any load prior to the closure of this bug report.

Last Pass:
----------
Test Escape: Issue was introduced along with the initial subcloud collect feature years ago but never seen or reported.

Timestamp/Logs:
---------------
Collect logs are not required. Issue is understood.

Error: invalid password ; Supplied password appears invalid (reason:30)

Alarms:
-------
N/A

Test Activity:
--------------
Developer Testing

Workaround:
-----------
Modify the username password to remove the special character(s).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/utilities/+/923912

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/923912
Committed: https://opendev.org/starlingx/utilities/commit/0b6055487e9bd67eff288f25f44e94f977740830
Submitter: "Zuul (22348)"
Branch: master

commit 0b6055487e9bd67eff288f25f44e94f977740830
Author: Eric MacDonald <email address hidden>
Date: Thu Jul 11 01:13:19 2024 +0000

    Preserve original collect password to be used for subcloud collect

    Collecting from a subcloud using a user account with a password
    containing special characters such as $, [, ], /, or " will fail
    due to an "Invalid Password" error.

    When the collect command is initially invoked by the user, the first
    escape character(s) are added to prefix the special character(s)
    in the password. Subcloud collects initiate a second call to collect
    which leads to a double special character escape which corrupts the
    password.

    This update resolves this issue by preserving the original unescaped
    password so it can be passed to the subcloud collect. Doing so avoids
    the double password escape.

    Test Plan:

    PASS: Verify subcloud collect without special sudo password characters
    PASS: Verify subcloud collect with special sudo password characters
    PASS: Verify host collect without special sudo password characters
    PASS: Verify host collect with special sudo password characters

    Closes-Bug: 2072394
    Change-Id: If7cf684b6412687c89e5af36b5b2e9b6e2a832f9
    Signed-off-by: Eric MacDonald <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.10.0 stx.tools
Changed in starlingx:
assignee: nobody → Eric MacDonald (rocksolidmtce)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.