Steve Gordon (sgordon) reports: The openstack-db program (a bash script which is part of the openstack-utils package): Set up a local database (MySQL) for use with openstack-<service>. This script will create a '<service>' database that is accessible only on localhost by user '<service>' with password '<service>'. The setup of a database with a multi-server OpenStack installation is outside of the scope of this simple helper script. This is not well documented in the install instructions and only mentioned within thmanual page for openstack-db or if it is invoked with the --help | -h option. The program supports a --password | -p option to set a password during installation however this is not mentioned. So by default installations will have multiple accounts created in MySQL with the username and password set to "service name", this list includes "keystone", "glance", "cinder" and "nova". Suggested fix: force usage of --password | -p, or generate a secure random password and use that instead of the service name if no password is specified. We also need to document this better in the installation guide and explicitly state what is going on. The affected code is: MYSQL_APP_PW_DEFAULT="$APP" : ${MYSQL_APP_PW=$MYSQL_APP_PW_DEFAULT} and then later on an SQL statement is created: CREATE USER '$APP'@'localhost' IDENTIFIED BY '${MYSQL_APP_PW}'; CREATE USER '$APP'@'%' IDENTIFIED BY '${MYSQL_APP_PW}'; External references: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack/2/html-single/Getting_Started_Guide/index.html
So his is still an issue, all the docs show adding a password at the command line (which is actually less than ideal, it'll be stored in your command line history/shown in ps), I would suggest we add a prompt for password if not password is entered, rather than randomly generating one by default.
Yes openstack-db --init will set password to the service name. That aligns with the upstream default of using a password = the service name. However this script is mainly useful for developers, and --init is not documented for end users. It's not really an option at present to remove this script, as it's been documented recently in the upgrade process: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Release_Notes/section_atomic-offline-upgrade.html So I'd be 60:40 for leaving the script as is for now, seeing as it's not end user impacting.
Also the option of setting a random password for --init is possible. But I'd be 60:40 for leaving the script as is for now, seeing as it's not end user impacting.
Ok, I'm going to close this as wontfix. Given the current state of this program and the user impact in the current releases (ie. none), if we do decide to change the behavior or remove this script in the future I am happy to call it hardening.