Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1458981

Summary: Postgresql user setup in install guide a security issue
Product: [JBoss] JBoss Operations Network Reporter: Tyler Kelly <tkelly>
Component: DocumentationAssignee: Tyler Kelly <tkelly>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: urgent Docs Contact:
Priority: urgent    
Version: JON 3.3.8CC: fbrychta, jshepherd
Target Milestone: post-GAKeywords: Triaged
Target Release: JON 3.3.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-25 22:41:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1373056    
Bug Blocks:    

Description Tyler Kelly 2017-06-06 02:14:20 UTC 
Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Installation_Guide/setting-up-dbs.html#Database-PostgreSQL_Quick_Start_Installation

Section Number and Name: 
2.1.1. Configuring PostgreSQL

Describe the issue: 
Manual states "Create a PostgreSQL role named rhqadmin with password rhqadmin". This would be a security issue given that anyone who knows JON is installed could access the backend database due to the password being in the manual.

Suggestions for improvement: 
Change point to indicate a better password should be used, and use the configuration guide in section 3.6 of the install guide (https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Installation_Guide/about-install-script.html#properties-file) to change the default password used by rhqctl script

Additional information: 
Need to check the JON will work if changed.
Comment 1 Jason Shepherd 2017-06-06 02:24:45 UTC 
Hi Tyler,

JON will work if we change the rhqadmin PostgeSQL user password. I agree we should indicate a better password should be used instead of giving users a password.

Jason
Comment 2 Tyler Kelly 2017-06-06 06:01:07 UTC 
changed to:
"Create a PostgreSQL role named rhqadmin with a password 'password'
postgres=# CREATE USER rhqadmin PASSWORD 'password'"
need to update section 3.6 to include change
Comment 3 Tyler Kelly 2017-06-08 06:37:27 UTC 
Section 2.1.1 step 5: 
https://access.qa.redhat.com/documentation/en-us/red_hat_jboss_operations_network/3.3/html-single/installation_guide/#Database-PostgreSQL_Quick_Start_Installation
And Section 3.6 updated to include note on configuration using postgresql rhqadmin password prior to running rhqctl: 
https://access.qa.redhat.com/documentation/en-us/red_hat_jboss_operations_network/3.3/html-single/installation_guide/#about-install-script

Merged to master on gitlab:
https://gitlab.cee.redhat.com/red-hat-jboss-operations-network-documentation/doc-jon-docs/merge_requests/4

Note: this merge request also includes changes for https://bugzilla.redhat.com/show_bug.cgi?id=1373056
Comment 4 Tyler Kelly 2017-06-25 22:41:23 UTC 
Published on customer portal on 2017-06-26