Bug 1251105

Summary: Secure mongodb installation for overcloud
Product: Red Hat OpenStack Reporter: Yurii Prokulevych <yprokule>
Component: openstack-tripleo-heat-templatesAssignee: Pradeep Kilambi <pkilambi>
Status: CLOSED WONTFIX QA Contact: Shai Revivo <srevivo>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 8.0 (Liberty)CC: athomas, emacchi, fbaudin, hbrock, jcoufal, jschluet, jslagle, kbasil, mburns, pkilambi, rhel-osp-director-maint, security-response-team, tvignaud, yguenane
Target Milestone: gaKeywords: Security, Triaged
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1252081 (view as bug list) Environment:
Last Closed: 2017-02-14 15:38:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yurii Prokulevych 2015-08-06 13:11:08 UTC 
Description of problem:
Mongodb instances running at overcloud can be accessed by anyone who knows their ips and access to dbs is not restricted.

mongo --host 192.0.2.22
MongoDB shell version: 2.6.9
connecting to: 192.0.2.22:27017/test
Server has startup warnings: 
2015-08-06T05:50:02.820-0400 [initandlisten] 
2015-08-06T05:50:02.820-0400 [initandlisten] ** WARNING: Readahead for /var/lib/mongodb is set to 4096KB
2015-08-06T05:50:02.820-0400 [initandlisten] **          We suggest setting it to 256KB (512 sectors) or less
2015-08-06T05:50:02.820-0400 [initandlisten] **          http://dochub.mongodb.org/core/readahead
tripleo:PRIMARY> use ceilometer
switched to db ceilometer
tripleo:PRIMARY> db.getUsers()
[ ]
tripleo:PRIMARY> show collections
alarm
alarm_history
event
meter
resource
system.indexes
tripleo:PRIMARY> 

---
grep '^connection' /etc/ceilometer/ceilometer.conf
connection=mongodb://192.0.2.22:27017,192.0.2.19:27017,192.0.2.21:27017/ceilometer?replicaSet=tripleo



Version-Release number of selected component (if applicable):
=======
openstack-heat-api-cfn-2015.1.0-5.el7ost.noarch
openstack-heat-api-cloudwatch-2015.1.0-5.el7ost.noarch
python-heatclient-0.6.0-1.el7ost.noarch
heat-cfntools-1.2.8-2.el7.noarch
openstack-heat-templates-0-0.6.20150605git.el7ost.noarch
openstack-tripleo-heat-templates-0.8.6-45.el7ost.noarch
openstack-heat-engine-2015.1.0-5.el7ost.noarch
openstack-heat-api-2015.1.0-5.el7ost.noarch
openstack-heat-common-2015.1.0-5.el7ost.noarch
openstack-ceilometer-notification-2015.1.0-10.el7ost.noarch
openstack-ceilometer-alarm-2015.1.0-10.el7ost.noarch
openstack-ceilometer-common-2015.1.0-10.el7ost.noarch
python-ceilometerclient-1.0.13-1.el7ost.noarch
openstack-ceilometer-collector-2015.1.0-10.el7ost.noarch
openstack-ceilometer-api-2015.1.0-10.el7ost.noarch
openstack-ceilometer-central-2015.1.0-10.el7ost.noarch
python-ceilometer-2015.1.0-10.el7ost.noarch

Expected results:
===
Mongodb instances are configured with dedicated ceilometer user,
'connection' option from ceilometer.conf updated respectively:
conncection=mongodb://ceilometer:<PASSWORD>@192.0.2.22:27017,192.0.2.19:27017,192.0.2.21:27017/ceilometer?replicaSet=tripleo
Comment 3 Kurt Seifried 2015-08-06 19:13:26 UTC 
The OpenShift 7 installer doesn't yet allow easy setup or authentication for ceilometer/mongodb. However the standard production install process (Network ISO) does allow the creation of an isolated network, which would prevent exploitation of this issue. The other installation methods (e.g. non Network ISO) are not intended for production use but instead for testing/proof of concept/etc. As such this issue is considered a security hardening issue and not a security vulnerability, so a CVE will not be assigned and the full security process will not be needed. 

Leaving this issue open as per mburns so they can track it and deal with it.
Comment 5 Yanis Guenane 2015-10-15 15:51:17 UTC 
Upstream review : https://review.openstack.org/#/c/235385/
Comment 7 Mike Burns 2016-03-10 12:00:26 UTC 
patch is nacked, moving to assigned.