Bug 1364576
Summary: | [OSP13] Password not required to login as root to MariaDB on the Undercloud | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Dan Yasny <dyasny> | |
Component: | instack-undercloud | Assignee: | James Slagle <jslagle> | |
Status: | CLOSED ERRATA | QA Contact: | pkomarov | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 9.0 (Mitaka) | CC: | chjones, dbecker, dciabrin, dyasny, fdinitto, jason.dobies, jschluet, mbayer, mburns, michele, morazi, nkinder, rhel-osp-director-maint, sclewis, tvignaud, ushkalim | |
Target Milestone: | beta | Keywords: | Triaged | |
Target Release: | 13.0 (Queens) | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | instack-undercloud-8.1.1-0.20180117134321.el7ost | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1534550 1534552 1534558 (view as bug list) | Environment: | ||
Last Closed: | 2018-06-27 13:26:26 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1534550, 1534552, 1534558 |
Description
Dan Yasny
2016-08-05 19:30:41 UTC
So on both liberty and mitaka the mysql port is firewalled off so only access from the undercloud itself is allowed: Interestingly enough on newton it is open again on the undercloud: 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 873,3306,4444,4567,4568,9200 /* 104 mysql galera */ state NEW↲ This is not to say that we should not look into it, just that the exposed surface is limited to having access to the undercloud already (pending confirmation about mitaka). I will look at the newton bits so that we do not release it without that port being open (I think it happened when we switched to use mysql via the puppet-tripleo profiles in the undercloud) (In reply to Michele Baldessari from comment #2) > So on both liberty and mitaka the mysql port is firewalled off so only > access from the undercloud itself is allowed: > > Interestingly enough on newton it is open again on the undercloud: > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 873,3306,4444,4567,4568,9200 /* 104 > mysql galera */ state NEW↲ > > This is not to say that we should not look into it, just that the exposed > surface > is limited to having access to the undercloud already (pending confirmation > about mitaka). I will look at the newton bits so that we do not release it > without that port being open (I think it happened when we switched to use > mysql via the puppet-tripleo profiles in the undercloud) A customer might disable the firewall for whatever reason, so I think we do need to enable all reasonable security Verified , $ whoami stack $ cat /etc/rhosp-release Red Hat OpenStack Platform release 13.0 Beta (Queens) $ rpm -qa|grep instack-undercloud-8.1.1-0.20180117134321 instack-undercloud-8.1.1-0.20180117134321.el7ost.noarch $ mysql -u root -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |