Deprecates username and password from boot time registration

The username and password combination is considered insecure to store in the metadata passed to the stack as they can easily be obtained and possibly used in an unathorized manner by logging into one of the registration systems. The use of an activation key is more desirable as it can only be used in conjunction with subscription-manager to register a RHEL system. This patch deprecates the username and password support from the script that registers RHEL with either Satellite or RH Customer Portal during boot-time. This patch also adds a warning if the username and password combination is used in the stack metadata. The documentation and examples have also been updated to warn operators of the deprecation of username and password. This patch does not affect the username and password support for registration activities while building images with diskimage-builder. Change-Id: I05b7a18e910d31ad2273042409f8657ad9dee36a
2014-12-09 10:46:00 -05:00 · 2014-12-09 10:46:00 -05:00 · 2fb72d6ed9
commit 2fb72d6ed9
parent 386a7a01d3
3 changed files with 21 additions and 6 deletions
--- a/elements/rhel-common/README.md
+++ b/elements/rhel-common/README.md
@ -9,6 +9,18 @@ Portal or Satellite to enable software installation from official
 repositories. After the end of the image creation process, the image will
 unregister itself so an entitlement will not be decremented from the account.

+
+SECURITY WARNING:
+-----------------
+While the image building workflow will allow you to register with a username
+and password combination, that feature is deprecated in the boot process via
+Heat as it will expose your username and password in clear text for anyone
+that has rights to run heat stack-show.  A compromised username and password
+can be used to login to the Red Hat Customer Portal or an instance of
+Satellite.  An activation key can only be used for registration purposes using
+the subscription-manager command line tool and is considered a lower security
+risk.
+
 IMPORTANT NOTE:
 ----------------
 The 00-rhsm script is specific to RHEL6.  If you use the REG_ variables to
@ -158,6 +170,7 @@ Heat metadata can be used to configure the rhel-common element.
        org:
            # Gives the organization to which to join the system.
        password:
+            # DEPRECATED
            # Gives the password for the user account.
        release:
            # Sets the operating system minor release to use for subscriptions
@ -180,6 +193,7 @@ Heat metadata can be used to configure the rhel-common element.
            # Sets the service level to use for subscriptions on that machine.
            # This is only used with the auto_attach option.
        user:
+            # DEPRECATED
            # Gives the content server user account name.
        type:
            # Sets what type of consumer is being registered. The default is
@ -202,8 +216,7 @@ metadata:
            "satellite_url": "http://my-sat06.server.org",
            "org": "tripleo",
            "environment": "Library",
-            "user":"tripleo",
-            "password":"tripleo",
+            "activation_key": "my-key-SQQkh4",
            "method":"satellite"
            "repos": "rhel-ha-for-rhel-7-server-rpms"
        }
@ -216,8 +229,8 @@ use the following metadata:
        "rh_registration":{
            "repos":"rhel-7-server-optional-rpms,rhel-7-server-extras-rpms",
            "auto_attach":true,
-            "user":"tripleo",
-            "password":"tripleo",
+            "activation_key": "my-key-SQQkh4",
+            "org": "5643002",
            "method":"portal"
        }
    }
--- a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
+++ b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
@ -71,6 +71,8 @@ if [ -n "${REG_ACTIVATION_KEY:-}" ]; then
        echo "WARNING: REG_ACTIVATION_KEY set without REG_ORG."
    fi
 else
+    echo "WARNING: Support for registering with a username and password is deprecated."
+    echo "Please use activation keys instead.  See the README for more information."
    if [ -n "${REG_PASSWORD:-}" ]; then
        opts="$opts --password $REG_PASSWORD"
    fi
@ -85,7 +87,7 @@ if [ -n "${REG_MACHINE_NAME:-}" ]; then
 fi

 if [ -n "${REG_ORG:-}" ]; then
-    opts="$opts --org $REG_ORG"
+    opts="$opts --org=$REG_ORG"
 fi

 if [ -n "${REG_REPOS:-}" ]; then
--- a/elements/rhel-common/pre-install.d/00-rhel-registration
+++ b/elements/rhel-common/pre-install.d/00-rhel-registration
@ -68,7 +68,7 @@ if [ -n "${REG_MACHINE_NAME:-}" ]; then
 fi

 if [ -n "${REG_ORG:-}" ]; then
-    opts="$opts --org $REG_ORG"
+    opts="$opts --org=$REG_ORG"
 fi

 if [ -n "${REG_REPOS:-}" ]; then