Vanilla plugin uses hardcoded password for Oozie MySQL database user
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
| Sahara |
Fix Released
|
High
|
Mikhail | ||
Bug Description
When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/
An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user.
[1]: https:/
[2]: https:/
| Michael McCune (mimccune) wrote | #1 |
| Michael McCune (mimccune) wrote | #2 |
| Tristan Cacqueray (tristan-cacqueray) wrote | #3 |
| description: | updated |
| Changed in ossa: | |
| status: | New → Incomplete |
| Tristan Cacqueray (tristan-cacqueray) wrote | #4 |
| Michael McCune (mimccune) wrote | #5 |
| Tristan Cacqueray (tristan-cacqueray) wrote | #6 |
| Michael McCune (mimccune) wrote | #7 |
| Tristan Cacqueray (tristan-cacqueray) wrote | #8 |
| Michael McCune (mimccune) wrote | #9 |
| Vitalii Gridnev (vgridnev) wrote | #10 |
| information type: | Private Security → Public Security |
| Changed in sahara: | |
| assignee: | nobody → Michael McCune (mimccune) |
| importance: | Undecided → Critical |
| Changed in sahara: | |
| milestone: | none → newton-1 |
| status: | New → Confirmed |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to sahara (master) | #11 |
| Changed in sahara: | |
| status: | Confirmed → In Progress |
| description: | updated |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on sahara (master) | #12 |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on sahara (stable/liberty) | #13 |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on sahara (stable/mitaka) | #14 |
| Changed in sahara: | |
| milestone: | newton-1 → newton-2 |
| Changed in sahara: | |
| importance: | Critical → High |
| no longer affects: | sahara/liberty |
| no longer affects: | sahara/mitaka |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on sahara (master) | #15 |
| Changed in sahara: | |
| assignee: | Michael McCune (mimccune) → Mikhail (mlelyakin) |
| Changed in sahara: | |
| milestone: | newton-2 → newton-3 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to sahara (master) | #16 |
| Changed in sahara: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/sahara 5.0.0.0b3 | #17 |
i think the proper fix for this may be as simple as the following patch:
diff --git a/sahara/
index 734e99f..d51a2ea 100644
--- a/sahara/
+++ b/sahara/
@@ -13,6 +13,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+import uuid
+
def get_oozie_
"""Following configs differ from default configs in oozie-default.
@@ -45,5 +47,5 @@ def get_oozie_
- 'oozie.
+ 'oozie.
}