Merge "Deprecates username and password from boot time registration"

2015-01-09 15:17:57 +00:00 · 2015-01-09 15:17:57 +00:00 · 89e9c01cd4
commit 89e9c01cd4
parent e304882e9d 2fb72d6ed9
3 changed files with 21 additions and 6 deletions
--- a/elements/rhel-common/README.md
+++ b/elements/rhel-common/README.md
@ -9,6 +9,18 @@ Portal or Satellite to enable software installation from official
 repositories. After the end of the image creation process, the image will
 unregister itself so an entitlement will not be decremented from the account.

+
+SECURITY WARNING:
+-----------------
+While the image building workflow will allow you to register with a username
+and password combination, that feature is deprecated in the boot process via
+Heat as it will expose your username and password in clear text for anyone
+that has rights to run heat stack-show.  A compromised username and password
+can be used to login to the Red Hat Customer Portal or an instance of
+Satellite.  An activation key can only be used for registration purposes using
+the subscription-manager command line tool and is considered a lower security
+risk.
+
 IMPORTANT NOTE:
 ----------------
 The 00-rhsm script is specific to RHEL6.  If you use the REG_ variables to
@ -158,6 +170,7 @@ Heat metadata can be used to configure the rhel-common element.
        org:
            # Gives the organization to which to join the system.
        password:
+            # DEPRECATED
            # Gives the password for the user account.
        release:
            # Sets the operating system minor release to use for subscriptions
@ -180,6 +193,7 @@ Heat metadata can be used to configure the rhel-common element.
            # Sets the service level to use for subscriptions on that machine.
            # This is only used with the auto_attach option.
        user:
+            # DEPRECATED
            # Gives the content server user account name.
        type:
            # Sets what type of consumer is being registered. The default is
@ -202,8 +216,7 @@ metadata:
            "satellite_url": "http://my-sat06.server.org",
            "org": "tripleo",
            "environment": "Library",
-            "user":"tripleo",
-            "password":"tripleo",
+            "activation_key": "my-key-SQQkh4",
            "method":"satellite"
            "repos": "rhel-ha-for-rhel-7-server-rpms"
        }
@ -216,8 +229,8 @@ use the following metadata:
        "rh_registration":{
            "repos":"rhel-7-server-optional-rpms,rhel-7-server-extras-rpms",
            "auto_attach":true,
-            "user":"tripleo",
-            "password":"tripleo",
+            "activation_key": "my-key-SQQkh4",
+            "org": "5643002",
            "method":"portal"
        }
    }
--- a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
+++ b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
@ -71,6 +71,8 @@ if [ -n "${REG_ACTIVATION_KEY:-}" ]; then
        echo "WARNING: REG_ACTIVATION_KEY set without REG_ORG."
    fi
 else
+    echo "WARNING: Support for registering with a username and password is deprecated."
+    echo "Please use activation keys instead.  See the README for more information."
    if [ -n "${REG_PASSWORD:-}" ]; then
        opts="$opts --password $REG_PASSWORD"
    fi
@ -85,7 +87,7 @@ if [ -n "${REG_MACHINE_NAME:-}" ]; then
 fi

 if [ -n "${REG_ORG:-}" ]; then
-    opts="$opts --org $REG_ORG"
+    opts="$opts --org=$REG_ORG"
 fi

 if [ -n "${REG_REPOS:-}" ]; then
--- a/elements/rhel-common/pre-install.d/00-rhel-registration
+++ b/elements/rhel-common/pre-install.d/00-rhel-registration
@ -68,7 +68,7 @@ if [ -n "${REG_MACHINE_NAME:-}" ]; then
 fi

 if [ -n "${REG_ORG:-}" ]; then
-    opts="$opts --org $REG_ORG"
+    opts="$opts --org=$REG_ORG"
 fi

 if [ -n "${REG_REPOS:-}" ]; then