Sahara

Sahara creates hive related users with hardcoded password

Bug #1498035 reported by Vitalii Gridnev on 2015-09-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
	Sahara	Fix Released	High	Mikhail	Sahara newton-3 "n3"

Bug Description

Sahara creates hive related user with hardcoded password there:

https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/resources/create_hive_db.sql#L4

This issue should be repaired.

Vitalii Gridnev (vgridnev) on 2015-11-19

Changed in sahara:
status:	New → Triaged
importance:	Undecided → Critical
milestone:	none → mitaka-1
importance:	Critical → High

Vitalii Gridnev (vgridnev) on 2015-12-02

Changed in sahara:
milestone:	mitaka-1 → mitaka-2

Vitalii Gridnev (vgridnev) on 2016-02-01

Changed in sahara:
milestone:	mitaka-2 → mitaka-3

Vitalii Gridnev (vgridnev) on 2016-03-05

Changed in sahara:
milestone:	mitaka-3 → next

Revision history for this message

Michael Ionkin (msionkin) wrote on 2016-03-22:

fix.patch Edit (4.3 KiB, text/plain)

Hide hardcoded password of hive db user

There was hardcoded password for hive database user. Now it is
generated randomly.
Also made code refactoring in methods that get data from files.

Tristan Cacqueray (tristan-cacqueray) on 2016-05-04

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-05-04:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

This looks like a similar issue of bug 1541122, though it might be more severe if this service is more likely available for remote user. Depending on default security group configuration this could be a class C1 or class A.

Revision history for this message

Vitalii Gridnev (vgridnev) wrote on 2016-05-04:

This user is created only for MySQL database in node with hiveserver on vanilla cluster. So, in case when user (it's not available for remote user) have access to the node he will have access to this database. I guess it's most likely issue of Class D / Class C1 by VMT map.

Also to have access to node user should have correct private key distributed on all instances.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-05-16:

Based on above comment, I've closed the OSSA task and switch the bug report to public.

Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Private Security → Public

Mikhail (mlelyakin) on 2016-06-06

Changed in sahara:
assignee:	nobody → Mikhail (mlelyakin)

Mikhail (mlelyakin) on 2016-06-06

Changed in sahara:
status:	Triaged → Invalid
status:	Invalid → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-06: Fix proposed to sahara (master)

Fix proposed to branch: master
Review: https://review.openstack.org/325850

Vitalii Gridnev (vgridnev) on 2016-06-10

Changed in sahara:
milestone:	next → newton-2

Vitalii Gridnev (vgridnev) on 2016-07-07

Changed in sahara:
milestone:	newton-2 → newton-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-20: Fix merged to sahara (master)

Reviewed: https://review.openstack.org/325850
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=d7f17930919644bb44858956f690f9383de35d17
Submitter: Jenkins
Branch: master

commit d7f17930919644bb44858956f690f9383de35d17
Author: Michael Lelyakin <email address hidden>
Date: Wed Aug 3 16:02:18 2016 +0000

Remove hardcoded password from db schema

    This patch remove hardcoded password from file "plugins/
    "vanilla/hadoop2/resources/create_hive_db.sql". Now we use
    castellan service to store random-generated password.

    Closes-bug: 1498035
    Change-Id: Ib354ef9d24df4eb19788b1cd7dbc495d0dada55a
    co-authored-by: Michael Ionkin <email address hidden>