Bug 1364576

Summary:	[OSP13] Password not required to login as root to MariaDB on the Undercloud
Product:	Red Hat OpenStack	Reporter:	Dan Yasny <dyasny>
Component:	instack-undercloud	Assignee:	James Slagle <jslagle>
Status:	CLOSED ERRATA	QA Contact:	pkomarov
Severity:	high	Docs Contact:
Priority:	medium
Version:	9.0 (Mitaka)	CC:	chjones, dbecker, dciabrin, dyasny, fdinitto, jason.dobies, jschluet, mbayer, mburns, michele, morazi, nkinder, rhel-osp-director-maint, sclewis, tvignaud, ushkalim
Target Milestone:	beta	Keywords:	Triaged
Target Release:	13.0 (Queens)
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	instack-undercloud-8.1.1-0.20180117134321.el7ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1534550 1534552 1534558 (view as bug list)		Environment:
Last Closed:	2018-06-27 13:26:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1534550, 1534552, 1534558

Description Dan Yasny 2016-08-05 19:30:41 UTC

Description of problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1323305 was open about the lack of password set on mariadb on the overcloud, however during the verification, it turned out that on the undercloud, the DB is also wide open:

[stack@instack ~]$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5978
Server version: 5.5.47-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select user,host,password from mysql.user where user like 'root'; 
+------+---------------------+----------+
| user | host                | password |
+------+---------------------+----------+
| root | localhost           |          |
| root | instack.localdomain |          |
| root | 127.0.0.1           |          |
| root | ::1                 |          |
+------+---------------------+----------+
4 rows in set (0.00 sec)



Version-Release number of selected component (if applicable):
mariadb-libs-5.5.47-1.el7_2.x86_64
mariadb-5.5.47-1.el7_2.x86_64
mariadb-server-5.5.47-1.el7_2.x86_64
openstack-tripleo-0.0.8-0.2.d81bd6dgit.el7ost.noarch
openstack-sahara-4.0.1-2.el7ost.noarch
openstack-swift-2.7.0-2.el7ost.noarch
openstack-tempest-10.0.0-2.b4a056dgit.el7ost.noarch
openstack-swift-container-2.7.0-2.el7ost.noarch
openstack-aodh-listener-2.0.3-2.el7ost.noarch
openstack-aodh-evaluator-2.0.3-2.el7ost.noarch
openstack-nova-compute-13.1.0-4.el7ost.noarch
openstack-heat-common-6.0.0-8.el7ost.noarch
openstack-neutron-8.1.2-1.el7ost.noarch
openstack-nova-api-13.1.0-4.el7ost.noarch
openstack-tripleo-image-elements-0.9.9-6.el7ost.noarch
openstack-zaqar-2.0.1-0.20160621211345.9fdbcfc.el7ost.noarch
openstack-cinder-8.0.0-4.el7ost.noarch
openstack-heat-engine-6.0.0-8.el7ost.noarch
openstack-swift-proxy-2.7.0-2.el7ost.noarch
openstack-neutron-common-8.1.2-1.el7ost.noarch
openstack-ceilometer-common-6.1.3-2.el7ost.noarch
openstack-sahara-api-4.0.1-2.el7ost.noarch
openstack-tripleo-common-2.0.0-7.el7ost.noarch
openstack-ironic-api-5.1.2-3.el7ost.noarch
openstack-puppet-modules-8.1.7-1.el7ost.noarch
openstack-ceilometer-notification-6.1.3-2.el7ost.noarch
openstack-ceilometer-collector-6.1.3-2.el7ost.noarch
openstack-ceilometer-polling-6.1.3-2.el7ost.noarch
python-openstacksdk-0.8.3-1.el7ost.noarch
openstack-tripleo-heat-templates-2.0.0-26.el7ost.noarch
openstack-nova-conductor-13.1.0-4.el7ost.noarch
openstack-sahara-common-4.0.1-2.el7ost.noarch
openstack-keystone-9.0.2-1.el7ost.noarch
openstack-nova-scheduler-13.1.0-4.el7ost.noarch
openstack-nova-cells-13.1.0-4.el7ost.noarch
openstack-ceilometer-api-6.1.3-2.el7ost.noarch
openstack-ironic-inspector-3.2.2-4.el7ost.noarch
openstack-neutron-openvswitch-8.1.2-1.el7ost.noarch
openstack-heat-api-6.0.0-8.el7ost.noarch
openstack-swift-object-2.7.0-2.el7ost.noarch
openstack-aodh-notifier-2.0.3-2.el7ost.noarch
openstack-tripleo-puppet-elements-2.0.0-4.el7ost.noarch
openstack-ceilometer-central-6.1.3-2.el7ost.noarch
openstack-neutron-ml2-8.1.2-1.el7ost.noarch
openstack-heat-api-cfn-6.0.0-8.el7ost.noarch
openstack-nova-common-13.1.0-4.el7ost.noarch
openstack-nova-console-13.1.0-4.el7ost.noarch
openstack-sahara-engine-4.0.1-2.el7ost.noarch
openstack-nova-novncproxy-13.1.0-4.el7ost.noarch
openstack-swift-account-2.7.0-2.el7ost.noarch
openstack-ironic-conductor-5.1.2-3.el7ost.noarch
openstack-aodh-common-2.0.3-2.el7ost.noarch
openstack-selinux-0.7.3-3.el7ost.noarch
openstack-utils-2015.2-1.el7ost.noarch
openstack-glance-12.0.0-1.el7ost.noarch
openstack-heat-templates-0-0.3.96a0b0bgit.el7ost.noarch
openstack-nova-cert-13.1.0-4.el7ost.noarch
python-openstackclient-2.2.0-1.el7ost.noarch
openstack-nova-13.1.0-4.el7ost.noarch
openstack-aodh-api-2.0.3-2.el7ost.noarch
openstack-swift-plugin-swift3-1.10-1.el7ost.noarch
openstack-ironic-common-5.1.2-3.el7ost.noarch
openstack-nova-network-13.1.0-4.el7ost.noarch
openstack-tripleo-heat-templates-liberty-2.0.0-26.el7ost.noarch


How reproducible:
always

Steps to Reproduce:
1. deploy osp 9
2. login to the undercloud machine
3. run mysql -u root

Actual results:
you get logged into the db without a password; no passwords are set for root

Expected results:

password to be required for db access

Additional info:

Comment 2 Michele Baldessari 2016-08-08 15:15:37 UTC

So on both liberty and mitaka the mysql port is firewalled off so only access from the undercloud itself is allowed:

Interestingly enough on newton it is open again on the undercloud:
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104 mysql galera */ state NEW↲

This is not to say that we should not look into it, just that the exposed surface
is limited to having access to the undercloud already (pending confirmation about mitaka). I will look at the newton bits so that we do not release it without that port being open (I think it happened when we switched to use mysql via the puppet-tripleo profiles in the undercloud)

Comment 3 Dan Yasny 2016-08-08 15:20:09 UTC

(In reply to Michele Baldessari from comment #2)
> So on both liberty and mitaka the mysql port is firewalled off so only
> access from the undercloud itself is allowed:
> 
> Interestingly enough on newton it is open again on the undercloud:
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104
> mysql galera */ state NEW↲
> 
> This is not to say that we should not look into it, just that the exposed
> surface
> is limited to having access to the undercloud already (pending confirmation
> about mitaka). I will look at the newton bits so that we do not release it
> without that port being open (I think it happened when we switched to use
> mysql via the puppet-tripleo profiles in the undercloud)

A customer might disable the firewall for whatever reason, so I think we do need to enable all reasonable security

Comment 15 pkomarov 2018-02-15 08:55:40 UTC

Verified , 

$ whoami
stack

$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 13.0 Beta (Queens)

$ rpm -qa|grep instack-undercloud-8.1.1-0.20180117134321
instack-undercloud-8.1.1-0.20180117134321.el7ost.noarch

$  mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Comment 19 errata-xmlrpc 2018-06-27 13:26:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086