Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1364576 - [OSP13] Password not required to login as root to MariaDB on the Undercloud
Summary: [OSP13] Password not required to login as root to MariaDB on the Undercloud
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 9.0 (Mitaka)
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: James Slagle
QA Contact: pkomarov
URL:
Whiteboard:
Depends On:
Blocks: 1534550 1534552 1534558
TreeView+ depends on / blocked
 
Reported: 2016-08-05 19:30 UTC by Dan Yasny
Modified: 2018-06-27 13:26 UTC (History)
16 users (show)

Fixed In Version: instack-undercloud-8.1.1-0.20180117134321.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1534550 1534552 1534558 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:26:26 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1742191 None None None 2018-01-09 17:01:33 UTC
Red Hat Product Errata RHEA-2018:2086 normal SHIPPED_LIVE Red Hat OpenStack Platform 13.0 Enhancement Advisory 2018-06-28 19:51:39 UTC
OpenStack gerrit 532221 None master: MERGED instack-undercloud: Set password for mysql root user on undercloud (I408ce3a0fe2ab8e86bcc280256cdb51688efde75) 2018-02-07 13:59:07 UTC

Description Dan Yasny 2016-08-05 19:30:41 UTC
Description of problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1323305 was open about the lack of password set on mariadb on the overcloud, however during the verification, it turned out that on the undercloud, the DB is also wide open:

[stack@instack ~]$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5978
Server version: 5.5.47-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select user,host,password from mysql.user where user like 'root'; 
+------+---------------------+----------+
| user | host                | password |
+------+---------------------+----------+
| root | localhost           |          |
| root | instack.localdomain |          |
| root | 127.0.0.1           |          |
| root | ::1                 |          |
+------+---------------------+----------+
4 rows in set (0.00 sec)



Version-Release number of selected component (if applicable):
mariadb-libs-5.5.47-1.el7_2.x86_64
mariadb-5.5.47-1.el7_2.x86_64
mariadb-server-5.5.47-1.el7_2.x86_64
openstack-tripleo-0.0.8-0.2.d81bd6dgit.el7ost.noarch
openstack-sahara-4.0.1-2.el7ost.noarch
openstack-swift-2.7.0-2.el7ost.noarch
openstack-tempest-10.0.0-2.b4a056dgit.el7ost.noarch
openstack-swift-container-2.7.0-2.el7ost.noarch
openstack-aodh-listener-2.0.3-2.el7ost.noarch
openstack-aodh-evaluator-2.0.3-2.el7ost.noarch
openstack-nova-compute-13.1.0-4.el7ost.noarch
openstack-heat-common-6.0.0-8.el7ost.noarch
openstack-neutron-8.1.2-1.el7ost.noarch
openstack-nova-api-13.1.0-4.el7ost.noarch
openstack-tripleo-image-elements-0.9.9-6.el7ost.noarch
openstack-zaqar-2.0.1-0.20160621211345.9fdbcfc.el7ost.noarch
openstack-cinder-8.0.0-4.el7ost.noarch
openstack-heat-engine-6.0.0-8.el7ost.noarch
openstack-swift-proxy-2.7.0-2.el7ost.noarch
openstack-neutron-common-8.1.2-1.el7ost.noarch
openstack-ceilometer-common-6.1.3-2.el7ost.noarch
openstack-sahara-api-4.0.1-2.el7ost.noarch
openstack-tripleo-common-2.0.0-7.el7ost.noarch
openstack-ironic-api-5.1.2-3.el7ost.noarch
openstack-puppet-modules-8.1.7-1.el7ost.noarch
openstack-ceilometer-notification-6.1.3-2.el7ost.noarch
openstack-ceilometer-collector-6.1.3-2.el7ost.noarch
openstack-ceilometer-polling-6.1.3-2.el7ost.noarch
python-openstacksdk-0.8.3-1.el7ost.noarch
openstack-tripleo-heat-templates-2.0.0-26.el7ost.noarch
openstack-nova-conductor-13.1.0-4.el7ost.noarch
openstack-sahara-common-4.0.1-2.el7ost.noarch
openstack-keystone-9.0.2-1.el7ost.noarch
openstack-nova-scheduler-13.1.0-4.el7ost.noarch
openstack-nova-cells-13.1.0-4.el7ost.noarch
openstack-ceilometer-api-6.1.3-2.el7ost.noarch
openstack-ironic-inspector-3.2.2-4.el7ost.noarch
openstack-neutron-openvswitch-8.1.2-1.el7ost.noarch
openstack-heat-api-6.0.0-8.el7ost.noarch
openstack-swift-object-2.7.0-2.el7ost.noarch
openstack-aodh-notifier-2.0.3-2.el7ost.noarch
openstack-tripleo-puppet-elements-2.0.0-4.el7ost.noarch
openstack-ceilometer-central-6.1.3-2.el7ost.noarch
openstack-neutron-ml2-8.1.2-1.el7ost.noarch
openstack-heat-api-cfn-6.0.0-8.el7ost.noarch
openstack-nova-common-13.1.0-4.el7ost.noarch
openstack-nova-console-13.1.0-4.el7ost.noarch
openstack-sahara-engine-4.0.1-2.el7ost.noarch
openstack-nova-novncproxy-13.1.0-4.el7ost.noarch
openstack-swift-account-2.7.0-2.el7ost.noarch
openstack-ironic-conductor-5.1.2-3.el7ost.noarch
openstack-aodh-common-2.0.3-2.el7ost.noarch
openstack-selinux-0.7.3-3.el7ost.noarch
openstack-utils-2015.2-1.el7ost.noarch
openstack-glance-12.0.0-1.el7ost.noarch
openstack-heat-templates-0-0.3.96a0b0bgit.el7ost.noarch
openstack-nova-cert-13.1.0-4.el7ost.noarch
python-openstackclient-2.2.0-1.el7ost.noarch
openstack-nova-13.1.0-4.el7ost.noarch
openstack-aodh-api-2.0.3-2.el7ost.noarch
openstack-swift-plugin-swift3-1.10-1.el7ost.noarch
openstack-ironic-common-5.1.2-3.el7ost.noarch
openstack-nova-network-13.1.0-4.el7ost.noarch
openstack-tripleo-heat-templates-liberty-2.0.0-26.el7ost.noarch


How reproducible:
always

Steps to Reproduce:
1. deploy osp 9
2. login to the undercloud machine
3. run mysql -u root

Actual results:
you get logged into the db without a password; no passwords are set for root

Expected results:

password to be required for db access

Additional info:

Comment 2 Michele Baldessari 2016-08-08 15:15:37 UTC
So on both liberty and mitaka the mysql port is firewalled off so only access from the undercloud itself is allowed:

Interestingly enough on newton it is open again on the undercloud:
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104 mysql galera */ state NEW↲

This is not to say that we should not look into it, just that the exposed surface
is limited to having access to the undercloud already (pending confirmation about mitaka). I will look at the newton bits so that we do not release it without that port being open (I think it happened when we switched to use mysql via the puppet-tripleo profiles in the undercloud)

Comment 3 Dan Yasny 2016-08-08 15:20:09 UTC
(In reply to Michele Baldessari from comment #2)
> So on both liberty and mitaka the mysql port is firewalled off so only
> access from the undercloud itself is allowed:
> 
> Interestingly enough on newton it is open again on the undercloud:
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0            multiport dports 873,3306,4444,4567,4568,9200 /* 104
> mysql galera */ state NEW↲
> 
> This is not to say that we should not look into it, just that the exposed
> surface
> is limited to having access to the undercloud already (pending confirmation
> about mitaka). I will look at the newton bits so that we do not release it
> without that port being open (I think it happened when we switched to use
> mysql via the puppet-tripleo profiles in the undercloud)

A customer might disable the firewall for whatever reason, so I think we do need to enable all reasonable security

Comment 15 pkomarov 2018-02-15 08:55:40 UTC
Verified , 

$ whoami
stack

$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 13.0 Beta (Queens)

$ rpm -qa|grep instack-undercloud-8.1.1-0.20180117134321
instack-undercloud-8.1.1-0.20180117134321.el7ost.noarch

$  mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Comment 19 errata-xmlrpc 2018-06-27 13:26:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.