Bug #18200

Audit entries for encrypted oauth_consumer_secret created on app startup

Added by Rolf Larsen 9 months ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Dominic Cleal
Category:Audit Log
Target version:-
Difficulty: Bugzilla link:
Found in release:1.14.0 Pull request:https://github.com/theforeman/foreman/pull/4558
Story points-
Velocity based estimate-
Release1.15.3Release relationshipAdded

Description

My audit log is mostly spammed by the following events:

updated Setting: oauth_consumer_secret
    Value changed from [encrypted] to [encrypted]

Foreman 1.14

foreman - foreman crontab in /etc/cron.d (1.96 KB) Achim Ziegler, 03/01/2017 02:09 AM


Related issues

Related to Foreman - Feature #13870: Encrypt settings values Closed 02/24/2016

Associated revisions

Revision 9586cd4a
Added by Dominic Cleal 5 months ago

fixes #18200 - don't re-encrypt settings when value is unchanged

Revision 1cd1880b
Added by Dominic Cleal 3 months ago

fixes #18200 - don't re-encrypt settings when value is unchanged

History

#1 Updated by Dominic Cleal 9 months ago

  • Category set to Audit Log
  • Found in release set to 1.14.0

#2 Updated by Yvan Broccard 8 months ago

Same for me.
Is there a way to filter out this message in the audit ? The "setting" button is non clickable unfortunatelly.

#3 Updated by Marek Hulán 8 months ago

I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.

#4 Updated by Michael Moll 8 months ago

I don't use puppet modules for managing my Foreman instance. However, when using foreman-rake, I'm still getting this output (and also have all the entries in the audit log.

root@sledge:~# foreman-rake config 
Successfully encrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully encrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
[...]

#5 Updated by Yvan Broccard 8 months ago

Same for me, I don't manage foreman with puppet, althought the foreman server is managed by puppet, nothing relevant to Foreman is touched with Puppet.

The audit log entries related to this problem "updated Setting: oauth_consumer_secret" come regularly by block of 3-6 at the same time that could match the execution of Puppet agent on the node.

#6 Updated by Marek Hulán 8 months ago

Michael, do you see new audits after running foreman-rake? I think these were different and harmless warnings.

Yvan, what are their times? Does each block start every e.g. 30 minutes? Could you check foreman production.log and see if there's some API call logged there for the same time?

#7 Updated by Michael Moll 8 months ago

I do see such entries in the audit log after a "foreman-rake config" or "foreman-rake console"

#8 Updated by Yvan Broccard 8 months ago

I don't see entries in foreman's production.log or cron.log when running puppet agent manually.

I don't see entries either when running foreman-rake config.

grep -i oauth *log | head
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_secret
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_secret

#9 Updated by Yvan Broccard 8 months ago

but when running foreman-rake config manually, I get this on stdout :
  1. foreman-rake config
    Successfully encrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully encrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    access_unattended_without_build: false
    administrator:
    always_show_configuration_status: false

#10 Updated by Chris Baldwin 8 months ago

Marek Hulán wrote:

I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.

I'm one of these users - db:seed and db:migrate all over the place. Because of this, we've removed the module from our Foreman servers - we don't want to actually seed/migrate stuff every 30 minutes for every foreman server.

Also, this is/was in 1.12 too.

#11 Updated by Marek Hulán 8 months ago

Chris, would you mind opening a separate issue for this? It seems this one is unrelated.

#12 Updated by Achim Ziegler 8 months ago

The problem is caused by foreman-rake commands in the crontab, not by puppet

#13 Updated by Trey Dockendorf 6 months ago

These messages are making our audit emails completely useless. Every day we get ~210 audits when nothing has been changed. All the audits are the encrypt/decrypt of oauth_consumer_key and oauth_consumer_secret.

#14 Updated by Adam Winberg 5 months ago

We're using ldap auth and as per the recommendations in the documentation we use a cron job running

foreman-rake ldap:refresh_usergroups

to keep our ldap groups refreshed. This cron job results in these audit messages for oauth secret/key. Would be nice to not have them there!

#15 Updated by Dominic Cleal 5 months ago

#16 Updated by Dominic Cleal 5 months ago

  • Status changed from New to Assigned
  • Assigned To set to Dominic Cleal
  • Release relationship changed from auto to added

#17 Updated by Dominic Cleal 5 months ago

  • Subject changed from audit log full of oauth_consumer_secret entries to Audit entries for encrypted oauth_consumer_secret created on app startup

Cause: encrypted settings (smtp_password, oauth_consumer_*) that are in settings.yaml will create audit entries on startup as Setting.create_existing will call #value= to set the value from settings.yaml. The (unchanged) value will be re-encrypted, creating new ciphertext and change what's stored in the DB each time, causing new audit entries.

#18 Updated by The Foreman Bot 5 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4558 added

#19 Updated by Dominic Cleal 5 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#20 Updated by Klaas D 5 months ago

seems to work fine in 1.14.3 for me, just in case anyone else wants to apply this to a production install

#21 Updated by Marek Hulán 4 months ago

  • Release set to 1.16.0

#22 Updated by Ohad Levy 3 months ago

would we consider this to 1.15.z ? this is fairly annoying :-)

#23 Updated by Daniel Lobato Garcia 3 months ago

  • Release changed from 1.16.0 to 1.15.3

Also available in: Atom PDF