[Openstack-security] [Bug 1541122] Re: Vanilla plugin uses hardcoded password for Oozie MySQL database user
Tristan Cacqueray
tdecacqu at redhat.com
Wed May 4 13:27:54 UTC 2016
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
- --
-
When deploying clusters with the vanilla plugin, the Oozie[1]
application must be configured to use a database for storing data
related to the scheduling, running, and processing of Hadoop jobs. Oozie
is the primary scheduler for jobs entering the Hadoop ecosystem through
the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this
can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2].
These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by
sahara with the vanilla plugin will have access to the database that
backs the Oozie installation. With this access, the intruder could
change the operational effects of Oozie to produce results other than
expected, for example inserting new jobs or altering configurations
associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of
Oozie on nodes deployed in its clusters, this hardcoded password should
be changed in favor of a random password that will be generated uniquely
for each deployed cluster. Oozie uses the values associated with the
configurations defined in [2] to create the credentials, this means that
the change should be a matter of simply changing the source valueof the
password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1541122
Title:
Vanilla plugin uses hardcoded password for Oozie MySQL database user
Status in OpenStack Security Advisory:
Incomplete
Status in Sahara:
In Progress
Status in Sahara liberty series:
Confirmed
Status in Sahara mitaka series:
In Progress
Bug description:
When deploying clusters with the vanilla plugin, the Oozie[1]
application must be configured to use a database for storing data
related to the scheduling, running, and processing of Hadoop jobs.
Oozie is the primary scheduler for jobs entering the Hadoop ecosystem
through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database,
this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py
[2]. These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by
sahara with the vanilla plugin will have access to the database that
backs the Oozie installation. With this access, the intruder could
change the operational effects of Oozie to produce results other than
expected, for example inserting new jobs or altering configurations
associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration
of Oozie on nodes deployed in its clusters, this hardcoded password
should be changed in favor of a random password that will be generated
uniquely for each deployed cluster. Oozie uses the values associated
with the configurations defined in [2] to create the credentials, this
means that the change should be a matter of simply changing the source
valueof the password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1541122/+subscriptions
More information about the Openstack-security
mailing list