Although the nova.conf file's premissions are restricted to 640, giving every compute server the MySQL root password, as according to the cactus documentation, does not follow the principle of least privilege.
If an attacker succsesfully exploits a flaw in the hypervisor (as have been found in KVM and XEN in the past), the attacker can easily tamper with the MySQL database, wreaking havoc on the OpenStack Cloud.
An attack on the hypervisor should be limited in scope to indivual compute servers.
Although the nova.conf file's premissions are restricted to 640, giving every compute server the MySQL root password, as according to the cactus documentation, does not follow the principle of least privilege.
Documents that refer to root MySQL password on compute servers: docs.openstack. org/cactus/ openstack- compute/ admin/content/ configuring- multiple- compute- nodes.html docs.openstack. org/cactus/ openstack- compute/ admin/content/ setting- flags-in- nova-conf- file.html
http://
http://
If an attacker succsesfully exploits a flaw in the hypervisor (as have been found in KVM and XEN in the past), the attacker can easily tamper with the MySQL database, wreaking havoc on the OpenStack Cloud.
An attack on the hypervisor should be limited in scope to indivual compute servers.