Bug 1364576 - [OSP13] Password not required to login as root to MariaDB on the Undercloud
Summary: [OSP13] Password not required to login as root to MariaDB on the Undercloud
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 9.0 (Mitaka)
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: James Slagle
QA Contact: pkomarov
URL:
Whiteboard:
Depends On:
Blocks: 1534550 1534552 1534558
TreeView+ depends on / blocked
 
Reported: 2016-08-05 19:30 UTC by Dan Yasny
Modified: 2018-06-27 13:26 UTC (History)
16 users (show)

Fixed In Version: instack-undercloud-8.1.1-0.20180117134321.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1534550 1534552 1534558 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:26:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1742191 0 None None None 2018-01-09 17:01:33 UTC
OpenStack gerrit 532221 0 None MERGED Set password for mysql root user on undercloud 2020-10-19 04:49:13 UTC
Red Hat Product Errata RHEA-2018:2086 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 13.0 Enhancement Advisory 2018-06-28 19:51:39 UTC

Description Dan Yasny 2016-08-05 19:30:41 UTC 
Description of problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1323305 was open about the lack of password set on mariadb on the overcloud, however during the verification, it turned out that on the undercloud, the DB is also wide open:

[stack@instack ~]$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5978
Server version: 5.5.47-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select user,host,password from mysql.user where user like 'root'; 
+------+---------------------+----------+
| user | host                | password |
+------+---------------------+----------+
| root | localhost           |          |
| root | instack.localdomain |          |
| root | 127.0.0.1           |          |
| root | ::1                 |          |
+------+---------------------+----------+
4 rows in set (0.00 sec)



Version-Release number of selected component (if applicable):
mariadb-libs-5.5.47-1.el7_2.x86_64
mariadb-5.5.47-1.el7_2.x86_64
mariadb-server-5.5.47-1.el7_2.x86_64
openstack-tripleo-0.0.8-0.2.d81bd6dgit.el7ost.noarch
openstack-sahara-4.0.1-2.el7ost.noarch
openstack-swift-2.7.0-2.el7ost.noarch
openstack-tempest-10.0.0-2.b4a056dgit.el7ost.noarch
openstack-swift-container-2.7.0-2.el7ost.noarch
openstack-aodh-listener-2.0.3-2.el7ost.noarch
openstack-aodh-evaluator-2.0.3-2.el7ost.noarch
openstack-nova-compute-13.1.0-4.el7ost.noarch
openstack-heat-common-6.0.0-8.el7ost.noarch
openstack-neutron-8.1.2-1.el7ost.noarch
openstack-nova-api-13.1.0-4.el7ost.noarch
openstack-tripleo-image-elements-0.9.9-6.el7ost.noarch
openstack-zaqar-2.0.1-0.20160621211345.9fdbcfc.el7ost.noarch
openstack-cinder-8.0.0-4.el7ost.noarch
openstack-heat-engine-6.0.0-8.el7ost.noarch
openstack-swift-proxy-2.7.0-2.el7ost.noarch
openstack-neutron-common-8.1.2-1.el7ost.noarch
openstack-ceilometer-common-6.1.3-2.el7ost.noarch
openstack-sahara-api-4.0.1-2.el7ost.noarch
openstack-tripleo-common-2.0.0-7.el7ost.noarch
openstack-ironic-api-5.1.2-3.el7ost.noarch
openstack-puppet-modules-8.1.7-1.el7ost.noarch
openstack-ceilometer-notification-6.1.3-2.el7ost.noarch
openstack-ceilometer-collector-6.1.3-2.el7ost.noarch
openstack-ceilometer-polling-6.1.3-2.el7ost.noarch
python-openstacksdk-0.8.3-1.el7ost.noarch
openstack-tripleo-heat-templates-2.0.0-26.el7ost.noarch
openstack-nova-conductor-13.1.0-4.el7ost.noarch
openstack-sahara-common-4.0.1-2.el7ost.noarch
openstack-keystone-9.0.2-1.el7ost.noarch
openstack-nova-scheduler-13.1.0-4.el7ost.noarch
openstack-nova-cells-13.1.0-4.el7ost.noarch
openstack-ceilometer-api-6.1.3-2.el7ost.noarch
openstack-ironic-inspector-3.2.2-4.el7ost.noarch
openstack-neutron-openvswitch-8.1.2-1.el7ost.noarch
openstack-heat-api-6.0.0-8.el7ost.noarch
openstack-swift-object-2.7.0-2.el7ost.noarch
openstack-aodh-notifier-2.0.3-2.el7ost.noarch
openstack-tripleo-puppet-elements-2.0.0-4.el7ost.noarch
openstack-ceilometer-central-6.1.3-2.el7ost.noarch
openstack-neutron-ml2-8.1.2-1.el7ost.noarch
openstack-heat-api-cfn-6.0.0-8.el7ost.noarch
openstack-nova-common-13.1.0-4.el7ost.noarch
openstack-nova-console-13.1.0-4.el7ost.noarch
openstack-sahara-engine-4.0.1-2.el7ost.noarch
openstack-nova-novncproxy-13.1.0-4.el7ost.noarch
openstack-swift-account-2.7.0-2.el7ost.noarch
openstack-ironic-conductor-5.1.2-3.el7ost.noarch
openstack-aodh-common-2.0.3-2.el7ost.noarch
openstack-selinux-0.7.3-3.el7ost.noarch
openstack-utils-2015.2-1.el7ost.noarch
openstack-glance-12.0.0-1.el7ost.noarch
openstack-heat-templates-0-0.3.96a0b0bgit.el7ost.noarch
openstack-nova-cert-13.1.0-4.el7ost.noarch
python-openstackclient-2.2.0-1.el7ost.noarch
openstack-nova-13.1.0-4.el7ost.noarch
openstack-aodh-api-2.0.3-2.el7ost.noarch
openstack-swift-plugin-swift3-1.10-1.el7ost.noarch
openstack-ironic-common-5.1.2-3.el7ost.noarch
openstack-nova-network-13.1.0-4.el7ost.noarch
openstack-tripleo-heat-templates-liberty-2.0.0-26.el7ost.noarch


How reproducible:
always

Steps to Reproduce:
1. deploy osp 9
2. login to the undercloud machine
3. run mysql -u root

Actual results:
you get logged into the db without a password; no passwords are set for root

Expected results:

password to be required for db access

Additional info:
Comment 2 Michele Baldessari 2016-08-08 15:15:37 UTC 
So on both liberty and mitaka the mysql port is firewalled off so only access from the undercloud itself is allowed:

Interestingly enough on newton it is open again on the undercloud:
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104 mysql galera */ state NEW↲

This is not to say that we should not look into it, just that the exposed surface
is limited to having access to the undercloud already (pending confirmation about mitaka). I will look at the newton bits so that we do not release it without that port being open (I think it happened when we switched to use mysql via the puppet-tripleo profiles in the undercloud)
Comment 3 Dan Yasny 2016-08-08 15:20:09 UTC 
(In reply to Michele Baldessari from comment #2)
> So on both liberty and mitaka the mysql port is firewalled off so only
> access from the undercloud itself is allowed:
> 
> Interestingly enough on newton it is open again on the undercloud:
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104
> mysql galera */ state NEW↲
> 
> This is not to say that we should not look into it, just that the exposed
> surface
> is limited to having access to the undercloud already (pending confirmation
> about mitaka). I will look at the newton bits so that we do not release it
> without that port being open (I think it happened when we switched to use
> mysql via the puppet-tripleo profiles in the undercloud)

A customer might disable the firewall for whatever reason, so I think we do need to enable all reasonable security
Comment 15 pkomarov 2018-02-15 08:55:40 UTC 
Verified , 

$ whoami
stack

$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 13.0 Beta (Queens)

$ rpm -qa|grep instack-undercloud-8.1.1-0.20180117134321
instack-undercloud-8.1.1-0.20180117134321.el7ost.noarch

$  mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
Comment 19 errata-xmlrpc 2018-06-27 13:26:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086
Note You need to log in before you can comment on or make changes to this bug.