Bug 1322095

Summary: /etc/sysconfig/clustercheck should use clustercheck-specific account, not "root"
Product: Red Hat OpenStack Reporter: Michael Bayer <mbayer>
Component: rhosp-directorAssignee: Michele Baldessari <michele>
Status: CLOSED CURRENTRELEASE QA Contact: Arik Chernetsky <achernet>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: dbecker, dciabrin, jcoufal, mburns, mcornea, michele, morazi, rhel-osp-director-maint
Target Milestone: ---   
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-11 13:07:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Bayer 2016-03-29 19:23:27 UTC 
It seems the installer is placing the "root" username with a blank password into /etc/sysconfig/clustercheck.  This is a poor security practice as the root user has unlimited permissions and is also misleading to users who often change their root account password such that clustercheck no longer functions.

Best practice for /etc/sysconfig/clustercheck is that a user named "clustercheck" is created with any strong password; then, the account should be created in the Galera cluster as:

    GRANT USAGE ON *.* TO 'clustercheck'@'localhost' IDENTIFIED BY PASSWORD '<password>';

The above grant most likely needs to be established on each MariaDB node running individually, since the Galera cluster can't be started by pacemaker until /etc/sysconfig/clustercheck has a working login.   OTOH, if the Galera cluster is up and running through some other means, the above grant can be invoked on just one node and Galera will replicate it to the other nodes.
Comment 2 Mike Burns 2016-04-07 21:36:02 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.