[Openstack-security] [Bug 1541122] Re: Vanilla plugin uses hardcoded password for Oozie MySQL database user

OpenStack Infra 1541122 at bugs.launchpad.net
Tue Aug 2 13:01:49 UTC 2016 

Reviewed:  https://review.openstack.org/325897
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=d29b4cfd04e201500e861086e86274a443243eba
Submitter: Jenkins
Branch:    master

commit d29b4cfd04e201500e861086e86274a443243eba
Author: Mikhail Lelyakin <mlelyakin at mirantis.com>
Date:   Mon Jun 6 15:49:40 2016 +0300

    Remove hardcoded password for Oozie service
    
    Change will correct the oozie configuration to use a random
    password instead of the hardcoded one currently in use.
    Closes-bug: 1541122
    Change-Id: I31c54aefc3c3ac65d928d9892be485ac754b6b10


** Changed in: sahara
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1541122

Title:
  Vanilla plugin uses hardcoded password for Oozie MySQL database user

Status in OpenStack Security Advisory:
  Won't Fix
Status in Sahara:
  Fix Released

Bug description:
  When deploying clusters with the vanilla plugin, the Oozie[1]
  application must be configured to use a database for storing data
  related to the scheduling, running, and processing of Hadoop jobs.
  Oozie is the primary scheduler for jobs entering the Hadoop ecosystem
  through the vanilla plugin.

  Sahara configures the credentials for Oozie to access its database,
  this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py
  [2].  These credentials are hardcoded, and use a weak password.

  An intruder with access to the nodes of a cluster that is created by
  sahara with the vanilla plugin will have access to the database that
  backs the Oozie installation. With this access, the intruder could
  change the operational effects of Oozie to produce results other than
  expected, for example inserting new jobs or altering configurations
  associated with currently running jobs.

  As sahara has ultimate control over the deployment and configuration
  of Oozie on nodes deployed in its clusters, this hardcoded password
  should be changed in favor of a random password that will be generated
  uniquely for each deployed cluster. Oozie uses the values associated
  with the configurations defined in [2] to create the credentials, this
  means that the change should be a matter of simply changing the source
  valueof the password for the Oozie user.

  [1]: https://oozie.apache.org/
  [2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1541122/+subscriptions

More information about the Openstack-security mailing list