Bug #18200

Audit entries for encrypted oauth_consumer_secret created on app startup

Added by Rolf Larsen over 1 year ago. Updated 9 days ago.

Status:Closed
Priority:Normal
Assignee:Dominic Cleal
Category:Audit Log
Target version:1.15.3
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link: Found in Releases:1.14.0
Pull request:https://github.com/theforeman/foreman/pull/4558

Description

My audit log is mostly spammed by the following events:

updated Setting: oauth_consumer_secret
    Value changed from [encrypted] to [encrypted]

Foreman 1.14

foreman - foreman crontab in /etc/cron.d (1.96 KB) Achim Ziegler, 03/01/2017 02:09 AM


Related issues

Related to Foreman - Feature #13870: Encrypt settings values Closed 02/24/2016

Associated revisions

Revision 9586cd4a
Added by Dominic Cleal about 1 year ago

fixes #18200 - don't re-encrypt settings when value is unchanged

Revision 1cd1880b
Added by Dominic Cleal 12 months ago

fixes #18200 - don't re-encrypt settings when value is unchanged

History

#1 Updated by Dominic Cleal over 1 year ago

  • Category set to Audit Log

#2 Updated by Yvan Broccard over 1 year ago

Same for me.
Is there a way to filter out this message in the audit ? The "setting" button is non clickable unfortunatelly.

#3 Updated by Marek Hulán over 1 year ago

I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.

#4 Updated by Michael Moll over 1 year ago

I don't use puppet modules for managing my Foreman instance. However, when using foreman-rake, I'm still getting this output (and also have all the entries in the audit log.

root@sledge:~# foreman-rake config 
Successfully encrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully encrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
[...]

#5 Updated by Yvan Broccard over 1 year ago

Same for me, I don't manage foreman with puppet, althought the foreman server is managed by puppet, nothing relevant to Foreman is touched with Puppet.

The audit log entries related to this problem "updated Setting: oauth_consumer_secret" come regularly by block of 3-6 at the same time that could match the execution of Puppet agent on the node.

#6 Updated by Marek Hulán over 1 year ago

Michael, do you see new audits after running foreman-rake? I think these were different and harmless warnings.

Yvan, what are their times? Does each block start every e.g. 30 minutes? Could you check foreman production.log and see if there's some API call logged there for the same time?

#7 Updated by Michael Moll over 1 year ago

I do see such entries in the audit log after a "foreman-rake config" or "foreman-rake console"

#8 Updated by Yvan Broccard over 1 year ago

I don't see entries in foreman's production.log or cron.log when running puppet agent manually.

I don't see entries either when running foreman-rake config.

grep -i oauth *log | head
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_secret
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_secret

#9 Updated by Yvan Broccard over 1 year ago

but when running foreman-rake config manually, I get this on stdout :
  1. foreman-rake config
    Successfully encrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully decrypted field for Setting::Auth oauth_consumer_key
    Successfully encrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    Successfully decrypted field for Setting::Auth oauth_consumer_secret
    access_unattended_without_build: false
    administrator:
    always_show_configuration_status: false

#10 Updated by Chris Baldwin over 1 year ago

Marek Hulán wrote:

I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.

I'm one of these users - db:seed and db:migrate all over the place. Because of this, we've removed the module from our Foreman servers - we don't want to actually seed/migrate stuff every 30 minutes for every foreman server.

Also, this is/was in 1.12 too.

#11 Updated by Marek Hulán over 1 year ago

Chris, would you mind opening a separate issue for this? It seems this one is unrelated.

#12 Updated by Achim Ziegler over 1 year ago

The problem is caused by foreman-rake commands in the crontab, not by puppet

#13 Updated by Trey Dockendorf over 1 year ago

These messages are making our audit emails completely useless. Every day we get ~210 audits when nothing has been changed. All the audits are the encrypt/decrypt of oauth_consumer_key and oauth_consumer_secret.

#14 Updated by Adam Winberg about 1 year ago

We're using ldap auth and as per the recommendations in the documentation we use a cron job running

foreman-rake ldap:refresh_usergroups

to keep our ldap groups refreshed. This cron job results in these audit messages for oauth secret/key. Would be nice to not have them there!

#15 Updated by Dominic Cleal about 1 year ago

#16 Updated by Dominic Cleal about 1 year ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal
  • translation missing: en.field_release_relationship changed from auto to added

#17 Updated by Dominic Cleal about 1 year ago

  • Subject changed from audit log full of oauth_consumer_secret entries to Audit entries for encrypted oauth_consumer_secret created on app startup

Cause: encrypted settings (smtp_password, oauth_consumer_*) that are in settings.yaml will create audit entries on startup as Setting.create_existing will call #value= to set the value from settings.yaml. The (unchanged) value will be re-encrypted, creating new ciphertext and change what's stored in the DB each time, causing new audit entries.

#18 Updated by The Foreman Bot about 1 year ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4558 added

#19 Updated by Dominic Cleal about 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#20 Updated by Klaas D about 1 year ago

seems to work fine in 1.14.3 for me, just in case anyone else wants to apply this to a production install

#21 Updated by Marek Hulán about 1 year ago

  • Legacy Backlogs Release (now unused) set to 240

#22 Updated by Ohad Levy 12 months ago

would we consider this to 1.15.z ? this is fairly annoying :-)

#23 Updated by Daniel Lobato Garcia 12 months ago

  • Legacy Backlogs Release (now unused) changed from 240 to 276

Also available in: Atom PDF