Project

General

Profile

Actions

Bug #18200

closed

Audit entries for encrypted oauth_consumer_secret created on app startup

Added by El Joppa over 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Audit Log
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

My audit log is mostly spammed by the following events:

updated Setting: oauth_consumer_secret
    Value changed from [encrypted] to [encrypted]

Foreman 1.14


Files

foreman foreman 1.96 KB foreman crontab in /etc/cron.d Achim Ziegler, 03/01/2017 02:09 AM

Related issues 1 (0 open1 closed)

Related to Foreman - Feature #13870: Encrypt settings valuesClosedAmir Fefer02/24/2016Actions
Actions #1

Updated by Dominic Cleal over 7 years ago

  • Category set to Audit Log
Actions #2

Updated by Yvan Broccard over 7 years ago

Same for me.
Is there a way to filter out this message in the audit ? The "setting" button is non clickable unfortunatelly.

Actions #3

Updated by Marek Hulán over 7 years ago

I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.

Actions #4

Updated by Anonymous over 7 years ago

I don't use puppet modules for managing my Foreman instance. However, when using foreman-rake, I'm still getting this output (and also have all the entries in the audit log.

root@sledge:~# foreman-rake config 
Successfully encrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully encrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
[...]

Actions #5

Updated by Yvan Broccard over 7 years ago

Same for me, I don't manage foreman with puppet, althought the foreman server is managed by puppet, nothing relevant to Foreman is touched with Puppet.

The audit log entries related to this problem "updated Setting: oauth_consumer_secret" come regularly by block of 3-6 at the same time that could match the execution of Puppet agent on the node.

Actions #6

Updated by Marek Hulán over 7 years ago

Michael, do you see new audits after running foreman-rake? I think these were different and harmless warnings.

Yvan, what are their times? Does each block start every e.g. 30 minutes? Could you check foreman production.log and see if there's some API call logged there for the same time?

Actions #7

Updated by Anonymous over 7 years ago

I do see such entries in the audit log after a "foreman-rake config" or "foreman-rake console"

Actions #8

Updated by Yvan Broccard over 7 years ago

I don't see entries in foreman's production.log or cron.log when running puppet agent manually.

I don't see entries either when running foreman-rake config.

grep -i oauth *log | head
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_secret
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_secret

Actions #9

Updated by Yvan Broccard over 7 years ago

but when running foreman-rake config manually, I get this on stdout :
  1. foreman-rake config
    Successfully encrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully encrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    access_unattended_without_build: false
    administrator:
    always_show_configuration_status: false
Actions #10

Updated by Chris Baldwin over 7 years ago

Marek Hulán wrote:

I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.

I'm one of these users - db:seed and db:migrate all over the place. Because of this, we've removed the module from our Foreman servers - we don't want to actually seed/migrate stuff every 30 minutes for every foreman server.

Also, this is/was in 1.12 too.

Actions #11

Updated by Marek Hulán over 7 years ago

Chris, would you mind opening a separate issue for this? It seems this one is unrelated.

Actions #12

Updated by Achim Ziegler over 7 years ago

The problem is caused by foreman-rake commands in the crontab, not by puppet

Actions #13

Updated by Trey Dockendorf over 7 years ago

These messages are making our audit emails completely useless. Every day we get ~210 audits when nothing has been changed. All the audits are the encrypt/decrypt of oauth_consumer_key and oauth_consumer_secret.

Actions #14

Updated by Adam Winberg over 7 years ago

We're using ldap auth and as per the recommendations in the documentation we use a cron job running

foreman-rake ldap:refresh_usergroups

to keep our ldap groups refreshed. This cron job results in these audit messages for oauth secret/key. Would be nice to not have them there!

Actions #15

Updated by Dominic Cleal over 7 years ago

Actions #16

Updated by Dominic Cleal over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal
  • Translation missing: en.field_release_relationship changed from auto to added
Actions #17

Updated by Dominic Cleal over 7 years ago

  • Subject changed from audit log full of oauth_consumer_secret entries to Audit entries for encrypted oauth_consumer_secret created on app startup

Cause: encrypted settings (smtp_password, oauth_consumer_*) that are in settings.yaml will create audit entries on startup as Setting.create_existing will call #value= to set the value from settings.yaml. The (unchanged) value will be re-encrypted, creating new ciphertext and change what's stored in the DB each time, causing new audit entries.

Actions #18

Updated by The Foreman Bot over 7 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4558 added
Actions #19

Updated by Dominic Cleal over 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #20

Updated by Klaas D over 7 years ago

seems to work fine in 1.14.3 for me, just in case anyone else wants to apply this to a production install

Actions #21

Updated by Marek Hulán over 7 years ago

  • Translation missing: en.field_release set to 240
Actions #22

Updated by Ohad Levy about 7 years ago

would we consider this to 1.15.z ? this is fairly annoying :-)

Actions #23

Updated by Daniel Lobato Garcia about 7 years ago

  • Translation missing: en.field_release changed from 240 to 276
Actions

Also available in: Atom PDF