nova-compute should not address DB directly (a.k.a. root SQL password in conf)
|||OpenStack Compute (nova)||
Although the nova.conf file's permissions are restricted to 640, giving every compute server the MySQL root password, as according to the cactus documentation, does not follow the principle of least privilege.
Documents that refer to root MySQL password on compute servers:
If an attacker successfully exploits a flaw in the hypervisor (as have been found in KVM and XEN in the past), the attacker can easily tamper with the MySQL database, wreaking havoc on the OpenStack Cloud.
An attack on the hypervisor should be limited in scope to individual compute servers.
|security vulnerability:||yes → no|
|visibility:||private → public|
|Changed in nova:|
|importance:||Undecided → Wishlist|
|status:||New → Confirmed|
- nova-compute doesn't follow principle of least privilege; root SQL
- password in nova.conf
+ nova-compute should not address DB directly (a.k.a. root SQL password in