Comment 6 for bug 1541122

IIUC correctly, oozie backend is not shared between tenant and it is only accessible from the tenant's network. So the risk would be an user messing with its own deployment, without impact for other tenants.

Assuming a compromised oozie service can not escalate to the sahara service (e.g., by stalling operation from the api for example), then I think this is a class D type of bug according to VMT taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy )

@sahara-coresec, what do you think ?