RabbitMQ credentials exposed in /operations endpoint

Description

When sending a GET request to /operations a list of all the operations for a specific tasks_graphs is returned.
In the list, some of the operations hold the cloudify_context object which holds the RabbitMQ credentials required during runtime.
The /operations endpoint is accessible by almost all Cloudify roles.
The RabbitMQ credentials must be placed in a different place non-accessible by any user or accessible only by the "sys_admin" and "manager" roles, the former should be preferred.

Steps to Reproduce

Environment:
OS (CLI), HA cluster, cloud provider
------------------------------------

Steps to reproduce:
------------------
1. Execute a workflow
2. Get a tasks_graph from this workflow through the /tasks_graphs endpoint
3. Get the operations of the task graph through the /operations endpoint
4. In the object returned, look for a "RemoteWorkflowTask" and look at "parameters->task_kwargs->cloudify_context->tenant"

Expected result:
---------------

Actual result:
-------------

Why Propose Close?

None

Activity

Show:
Ofer Yarom
July 7, 2019, 4:42 PM

, We are trying to understand the mechanism behind this API allowing access to credentials. can you please provide some info on how the agent contacts rabbitMQ and why is this needed?

Łukasz Maksymczuk
July 8, 2019, 2:39 PM

nice find, hmm, perhaps indeed those values don't need to be stored there. They need to be available for resuming any tasks, but perhaps we can simply get them again from the caller. I'll check if it can be done.

They are currently stored there because this is just part of the operation context.

Btw, "sys_admin" and "manager" is too strict - by default, we also allow "operations" and "user" to view them, via the execution_start role (and possibly the operations_list/operations_get could also be taken away from "viewer"?)

Łukasz Maksymczuk
July 10, 2019, 9:42 AM

Moving to 5.0.5 after discussing w/ and

Łukasz Maksymczuk
August 5, 2019, 6:53 AM

Done by making the tenant credentials be accessed on demand via rest, not just sent with any operation context

Done

Assignee

Łukasz Maksymczuk

Reporter

Ohad Baruch

Severity

Critical

Target Version

5.0.5

Premium Only

no

Found In Version

5.0

QA Owner

None

Bug Type

new feature bug

Customer Encountered

No

Customer Name

None

Release Notes

no

Priority

High

Priority

Critical
Configure