Bug 1364576 – [OSP13] Password not required to login as root to MariaDB on the Undercloud

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1364576 - [OSP13] Password not required to login as root to MariaDB on the Undercloud

Summary:	[OSP13] Password not required to login as root to MariaDB on the Undercloud

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	instack-undercloud (Show other bugs)
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	x86_64 Linux

Priority	medium Severity high
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assigned To:	James Slagle
QA Contact:	pkomarov
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:	1534550 1534552 1534558
	Show dependency tree / graph

Reported:	2016-08-05 15:30 EDT by Dan Yasny
Modified:	2018-06-27 09:26 EDT (History)
CC List:	16 users (show)

See Also:
Fixed In Version:	instack-undercloud-8.1.1-0.20180117134321.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1534550 1534552 1534558 (view as bug list)
Environment:
Last Closed:	2018-06-27 09:26:26 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1742191	None	None	None	2018-01-09 12:01 EST
OpenStack gerrit	532221	None	master: MERGED	instack-undercloud: Set password for mysql root user on undercloud (I408ce3a0fe2ab8e86bcc280256cdb51688efde75)	2018-02-07 08:59 EST
Red Hat Product Errata	RHEA-2018:2086	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 13.0 Enhancement Advisory	2018-06-28 15:51:39 EDT

Groups: None (edit)

Description Dan Yasny 2016-08-05 15:30:41 EDT

Description of problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1323305 was open about the lack of password set on mariadb on the overcloud, however during the verification, it turned out that on the undercloud, the DB is also wide open:

[stack@instack ~]$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5978
Server version: 5.5.47-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select user,host,password from mysql.user where user like 'root'; 
+------+---------------------+----------+
| user | host                | password |
+------+---------------------+----------+
| root | localhost           |          |
| root | instack.localdomain |          |
| root | 127.0.0.1           |          |
| root | ::1                 |          |
+------+---------------------+----------+
4 rows in set (0.00 sec)



Version-Release number of selected component (if applicable):
mariadb-libs-5.5.47-1.el7_2.x86_64
mariadb-5.5.47-1.el7_2.x86_64
mariadb-server-5.5.47-1.el7_2.x86_64
openstack-tripleo-0.0.8-0.2.d81bd6dgit.el7ost.noarch
openstack-sahara-4.0.1-2.el7ost.noarch
openstack-swift-2.7.0-2.el7ost.noarch
openstack-tempest-10.0.0-2.b4a056dgit.el7ost.noarch
openstack-swift-container-2.7.0-2.el7ost.noarch
openstack-aodh-listener-2.0.3-2.el7ost.noarch
openstack-aodh-evaluator-2.0.3-2.el7ost.noarch
openstack-nova-compute-13.1.0-4.el7ost.noarch
openstack-heat-common-6.0.0-8.el7ost.noarch
openstack-neutron-8.1.2-1.el7ost.noarch
openstack-nova-api-13.1.0-4.el7ost.noarch
openstack-tripleo-image-elements-0.9.9-6.el7ost.noarch
openstack-zaqar-2.0.1-0.20160621211345.9fdbcfc.el7ost.noarch
openstack-cinder-8.0.0-4.el7ost.noarch
openstack-heat-engine-6.0.0-8.el7ost.noarch
openstack-swift-proxy-2.7.0-2.el7ost.noarch
openstack-neutron-common-8.1.2-1.el7ost.noarch
openstack-ceilometer-common-6.1.3-2.el7ost.noarch
openstack-sahara-api-4.0.1-2.el7ost.noarch
openstack-tripleo-common-2.0.0-7.el7ost.noarch
openstack-ironic-api-5.1.2-3.el7ost.noarch
openstack-puppet-modules-8.1.7-1.el7ost.noarch
openstack-ceilometer-notification-6.1.3-2.el7ost.noarch
openstack-ceilometer-collector-6.1.3-2.el7ost.noarch
openstack-ceilometer-polling-6.1.3-2.el7ost.noarch
python-openstacksdk-0.8.3-1.el7ost.noarch
openstack-tripleo-heat-templates-2.0.0-26.el7ost.noarch
openstack-nova-conductor-13.1.0-4.el7ost.noarch
openstack-sahara-common-4.0.1-2.el7ost.noarch
openstack-keystone-9.0.2-1.el7ost.noarch
openstack-nova-scheduler-13.1.0-4.el7ost.noarch
openstack-nova-cells-13.1.0-4.el7ost.noarch
openstack-ceilometer-api-6.1.3-2.el7ost.noarch
openstack-ironic-inspector-3.2.2-4.el7ost.noarch
openstack-neutron-openvswitch-8.1.2-1.el7ost.noarch
openstack-heat-api-6.0.0-8.el7ost.noarch
openstack-swift-object-2.7.0-2.el7ost.noarch
openstack-aodh-notifier-2.0.3-2.el7ost.noarch
openstack-tripleo-puppet-elements-2.0.0-4.el7ost.noarch
openstack-ceilometer-central-6.1.3-2.el7ost.noarch
openstack-neutron-ml2-8.1.2-1.el7ost.noarch
openstack-heat-api-cfn-6.0.0-8.el7ost.noarch
openstack-nova-common-13.1.0-4.el7ost.noarch
openstack-nova-console-13.1.0-4.el7ost.noarch
openstack-sahara-engine-4.0.1-2.el7ost.noarch
openstack-nova-novncproxy-13.1.0-4.el7ost.noarch
openstack-swift-account-2.7.0-2.el7ost.noarch
openstack-ironic-conductor-5.1.2-3.el7ost.noarch
openstack-aodh-common-2.0.3-2.el7ost.noarch
openstack-selinux-0.7.3-3.el7ost.noarch
openstack-utils-2015.2-1.el7ost.noarch
openstack-glance-12.0.0-1.el7ost.noarch
openstack-heat-templates-0-0.3.96a0b0bgit.el7ost.noarch
openstack-nova-cert-13.1.0-4.el7ost.noarch
python-openstackclient-2.2.0-1.el7ost.noarch
openstack-nova-13.1.0-4.el7ost.noarch
openstack-aodh-api-2.0.3-2.el7ost.noarch
openstack-swift-plugin-swift3-1.10-1.el7ost.noarch
openstack-ironic-common-5.1.2-3.el7ost.noarch
openstack-nova-network-13.1.0-4.el7ost.noarch
openstack-tripleo-heat-templates-liberty-2.0.0-26.el7ost.noarch


How reproducible:
always

Steps to Reproduce:
1. deploy osp 9
2. login to the undercloud machine
3. run mysql -u root

Actual results:
you get logged into the db without a password; no passwords are set for root

Expected results:

password to be required for db access

Additional info:

Comment 2 Michele Baldessari 2016-08-08 11:15:37 EDT

So on both liberty and mitaka the mysql port is firewalled off so only access from the undercloud itself is allowed:

Interestingly enough on newton it is open again on the undercloud:
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104 mysql galera */ state NEW↲

This is not to say that we should not look into it, just that the exposed surface
is limited to having access to the undercloud already (pending confirmation about mitaka). I will look at the newton bits so that we do not release it without that port being open (I think it happened when we switched to use mysql via the puppet-tripleo profiles in the undercloud)

Comment 3 Dan Yasny 2016-08-08 11:20:09 EDT

(In reply to Michele Baldessari from comment #2)
> So on both liberty and mitaka the mysql port is firewalled off so only
> access from the undercloud itself is allowed:
> 
> Interestingly enough on newton it is open again on the undercloud:
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104
> mysql galera */ state NEW↲
> 
> This is not to say that we should not look into it, just that the exposed
> surface
> is limited to having access to the undercloud already (pending confirmation
> about mitaka). I will look at the newton bits so that we do not release it
> without that port being open (I think it happened when we switched to use
> mysql via the puppet-tripleo profiles in the undercloud)

A customer might disable the firewall for whatever reason, so I think we do need to enable all reasonable security

Comment 15 pkomarov 2018-02-15 03:55:40 EST

Verified , 

$ whoami
stack

$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 13.0 Beta (Queens)

$ rpm -qa|grep instack-undercloud-8.1.1-0.20180117134321
instack-undercloud-8.1.1-0.20180117134321.el7ost.noarch

$  mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Comment 19 errata-xmlrpc 2018-06-27 09:26:26 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.