Implement auth on mongodb
Bug #1665308 reported by
Luke Hinds
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Expired
|
Undecided
|
Unassigned |
Bug Description
Mongodb currently runs with noauth on the undercloud / controller roles.
The current arch is not exposing a security risk as on the undercloud the bind_ip is 127.0.0.1 (for zaqar DB) and on the controller listening is restricted to the internal API network "InternalApiNet
It is still however a prudent effort to further 'shore up' extras layers of defence by implementing auth.
Changed in tripleo: | |
importance: | Undecided → Medium |
Changed in tripleo: | |
importance: | Medium → High |
Changed in tripleo: | |
milestone: | pike-3 → pike-rc1 |
Changed in tripleo: | |
milestone: | queens-1 → queens-2 |
Changed in tripleo: | |
milestone: | queens-2 → queens-3 |
Changed in tripleo: | |
milestone: | queens-3 → queens-rc1 |
Changed in tripleo: | |
milestone: | queens-rc1 → rocky-1 |
Changed in tripleo: | |
milestone: | rocky-1 → rocky-2 |
Changed in tripleo: | |
milestone: | rocky-2 → rocky-3 |
Changed in tripleo: | |
milestone: | rocky-3 → rocky-rc1 |
Changed in tripleo: | |
milestone: | rocky-rc1 → stein-1 |
Changed in tripleo: | |
milestone: | stein-1 → stein-2 |
To post a comment you must log in.
Given that this is a security layering bug (so not an immediate vulnerability) and adding auth to a service which previously didn't have it is likely to be a somewhat invasive change, I'm going to move it out to Queens. I'd prefer to do something like this early in the cycle so we have time to tease out issues, especially with composable services that may not be well-tested in ci.