When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41
i think the proper fix for this may be as simple as the following patch:
diff --git a/sahara/ plugins/ vanilla/ hadoop2/ oozie_helper. py b/sahara/ plugins/ vanilla/ hadoop2/ oozie_helper. py plugins/ vanilla/ hadoop2/ oozie_helper. py plugins/ vanilla/ hadoop2/ oozie_helper. py
index 734e99f..d51a2ea 100644
--- a/sahara/
+++ b/sahara/
@@ -13,6 +13,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+import uuid
+
def get_oozie_ required_ xml_configs( hadoop_ conf_dir) : xml.""" mysql_configs( ):
'oozie. service. JPAService. jdbc.url' :
'jdbc: mysql:/ /localhost: 3306/oozie' ,
'oozie. service. JPAService. jdbc.username' : 'oozie', service. JPAService. jdbc.password' : 'oozie' service. JPAService. jdbc.password' : uuid.uuid4().hex
"""Following configs differ from default configs in oozie-default.
@@ -45,5 +47,5 @@ def get_oozie_
- 'oozie.
+ 'oozie.
}