[Engine-devel] Dropping encryption of database password
Eli Mesika
emesika at redhat.com
Sun May 5 14:15:24 UTC 2013
----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Eli Mesika" <emesika at redhat.com>
> Cc: "Keith Robertson" <kroberts at redhat.com>, "Juan Hernandez" <jhernand at redhat.com>, "engine-devel"
> <engine-devel at ovirt.org>, "pmatouse" <pmatouse at redhat.com>
> Sent: Sunday, May 5, 2013 10:17:28 AM
> Subject: Re: [Engine-devel] Dropping encryption of database password
>
>
>
> ----- Original Message -----
> > From: "Eli Mesika" <emesika at redhat.com>
> > To: "Keith Robertson" <kroberts at redhat.com>, "Alon Bar-Lev"
> > <alonbl at redhat.com>, "Juan Hernandez"
> > <jhernand at redhat.com>
> > Cc: "engine-devel" <engine-devel at ovirt.org>, "pmatouse"
> > <pmatouse at redhat.com>
> > Sent: Sunday, May 5, 2013 10:13:59 AM
> > Subject: Re: [Engine-devel] Dropping encryption of database password
> >
> >
> >
> > ----- Original Message -----
> > > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > > To: "Keith Robertson" <kroberts at redhat.com>
> > > Cc: "Juan Hernandez" <jhernand at redhat.com>, "engine-devel"
> > > <engine-devel at ovirt.org>, "pmatouse" <pmatouse at redhat.com>
> > > Sent: Wednesday, May 1, 2013 9:40:13 PM
> > > Subject: Re: [Engine-devel] Dropping encryption of database password
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Keith Robertson" <kroberts at redhat.com>
> > > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > Cc: "Josh Bressers" <bressers at redhat.com>, "Juan Hernandez"
> > > > <jhernand at redhat.com>, "engine-devel"
> > > > <engine-devel at ovirt.org>, "pmatouse" <pmatouse at redhat.com>, "Sandro
> > > > Bonazzola" <sbonazzo at redhat.com>
> > > > Sent: Wednesday, May 1, 2013 9:31:15 PM
> > > > Subject: Re: [Engine-devel] Dropping encryption of database password
> > > >
> > > > On 05/01/2013 02:16 PM, Alon Bar-Lev wrote:
> > > > > Thank you.
> > > > > This is what I wrote in my initial post.
> > > > > The only users who should access this password is ovirt user and root
> > > > > user.
> > > > >
> > > > > Regards,
> > > > > Alon Bar-Lev.
> > > > >
> > > > >> >
> > > > Alon,
> > > > I agree with the desire to store the PW in plaintext and in a
> > > > non-obfuscated manner. In this case, obfuscation really doesn't gain
> > > > anything.
> > > >
> > > > I would suggest; however, that the migration to plaintext be
> > > > coordinated
> > > > with a simultaneous patch to the the Log Collector. It does have a
> > > > dependency on the current architecture.
> > > >
> > > > Keith
> > > >
> > >
> > > Hi,
> > >
> > > As far as I know it reads the plain text from .pgpass, we need to modify
> > > it
> > > to search within the alternate format as well.
> >
> > We are using the original .pgpass file that is in 0600 mode ( have access
> > only to root)
> > If the file does not have this mode , it is ignored by Postgres
> > I see no security issue in that ...
> >
> > Please see details in
> > http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html
>
> I am going to drop the .pgpass file in favor of other configuration file and
> produce .pgpass on will.
> This is because:
> 1. The proprietary format of .pgpass is not friendly to parsing.
> 2. It does not hold the SSL setting.
> 3. It does not hold the SSL host validation setting.
> 4. It will be more difficult to modify user password.
>
> This file is also 0600 owned by engine but in key=value format, so no change
> as far as security is concerned.
That's OK from my point ....
>
> Thanks!
> Alon.
>
> >
> >
> >
> > >
> > > Thanks,
> > > Alon
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > >
> >
>
More information about the Engine-devel
mailing list