Bug #18200
closed
Audit entries for encrypted oauth_consumer_secret created on app startup
Description
My audit log is mostly spammed by the following events:
updated Setting: oauth_consumer_secret
Value changed from [encrypted] to [encrypted]
Foreman 1.14
Files
Updated by Yvan Broccard over 7 years ago
Same for me.
Is there a way to filter out this message in the audit ? The "setting" button is non clickable unfortunatelly.
Updated by Marek Hulán over 7 years ago
I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.
Updated by Anonymous over 7 years ago
I don't use puppet modules for managing my Foreman instance. However, when using foreman-rake, I'm still getting this output (and also have all the entries in the audit log.
root@sledge:~# foreman-rake config Successfully encrypted field for Setting::Auth oauth_consumer_key Successfully decrypted field for Setting::Auth oauth_consumer_key Successfully decrypted field for Setting::Auth oauth_consumer_key Successfully encrypted field for Setting::Auth oauth_consumer_secret Successfully decrypted field for Setting::Auth oauth_consumer_secret Successfully decrypted field for Setting::Auth oauth_consumer_secret [...]
Updated by Yvan Broccard over 7 years ago
Same for me, I don't manage foreman with puppet, althought the foreman server is managed by puppet, nothing relevant to Foreman is touched with Puppet.
The audit log entries related to this problem "updated Setting: oauth_consumer_secret" come regularly by block of 3-6 at the same time that could match the execution of Puppet agent on the node.
Updated by Marek Hulán over 7 years ago
Michael, do you see new audits after running foreman-rake? I think these were different and harmless warnings.
Yvan, what are their times? Does each block start every e.g. 30 minutes? Could you check foreman production.log and see if there's some API call logged there for the same time?
Updated by Anonymous over 7 years ago
I do see such entries in the audit log after a "foreman-rake config" or "foreman-rake console"
Updated by Yvan Broccard over 7 years ago
I don't see entries in foreman's production.log or cron.log when running puppet agent manually.
I don't see entries either when running foreman-rake config.
grep -i oauth *log | head
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_secret
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_secret
Updated by Yvan Broccard over 7 years ago
- foreman-rake config
Successfully encrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully encrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
access_unattended_without_build: false
administrator: infrastructure@xxxx.yyyy
always_show_configuration_status: false
Updated by Chris Baldwin over 7 years ago
Marek Hulán wrote:
I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.
I'm one of these users - db:seed and db:migrate all over the place. Because of this, we've removed the module from our Foreman servers - we don't want to actually seed/migrate stuff every 30 minutes for every foreman server.
Also, this is/was in 1.12 too.
Updated by Marek Hulán over 7 years ago
Chris, would you mind opening a separate issue for this? It seems this one is unrelated.
Updated by Achim Ziegler over 7 years ago
The problem is caused by foreman-rake commands in the crontab, not by puppet
Updated by Trey Dockendorf over 7 years ago
These messages are making our audit emails completely useless. Every day we get ~210 audits when nothing has been changed. All the audits are the encrypt/decrypt of oauth_consumer_key and oauth_consumer_secret.
Updated by Adam Winberg over 7 years ago
We're using ldap auth and as per the recommendations in the documentation we use a cron job running
foreman-rake ldap:refresh_usergroups
to keep our ldap groups refreshed. This cron job results in these audit messages for oauth secret/key. Would be nice to not have them there!
Updated by Dominic Cleal over 7 years ago
- Related to Feature #13870: Encrypt settings values added
Updated by Dominic Cleal over 7 years ago
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
- Translation missing: en.field_release_relationship changed from auto to added
Updated by Dominic Cleal over 7 years ago
- Subject changed from audit log full of oauth_consumer_secret entries to Audit entries for encrypted oauth_consumer_secret created on app startup
Cause: encrypted settings (smtp_password, oauth_consumer_*) that are in settings.yaml will create audit entries on startup as Setting.create_existing will call #value= to set the value from settings.yaml. The (unchanged) value will be re-encrypted, creating new ciphertext and change what's stored in the DB each time, causing new audit entries.
Updated by The Foreman Bot over 7 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4558 added
Updated by Dominic Cleal over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 9586cd4aee782d3f6ce8c4e84f360c93d8872ced.
Updated by Klaas D over 7 years ago
seems to work fine in 1.14.3 for me, just in case anyone else wants to apply this to a production install
Updated by Marek Hulán over 7 years ago
- Translation missing: en.field_release set to 240
Updated by Ohad Levy over 7 years ago
would we consider this to 1.15.z ? this is fairly annoying :-)
Updated by Daniel Lobato Garcia over 7 years ago
- Translation missing: en.field_release changed from 240 to 276