| 2016-02-02 22:23:41 |
Michael McCune |
bug |
|
|
added bug |
| 2016-02-12 00:43:57 |
Michael McCune |
attachment added |
|
bug_1541122.patch https://bugs.launchpad.net/sahara/+bug/1541122/+attachment/4569737/+files/bug_1541122.patch |
|
| 2016-03-31 20:53:20 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2016-03-31 20:53:58 |
Tristan Cacqueray |
description |
When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 |
|
| 2016-03-31 20:54:16 |
Tristan Cacqueray |
bug |
|
|
added subscriber Sahara Core security contacts |
| 2016-04-04 12:56:15 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2016-05-04 13:17:32 |
Vitalii Gridnev |
information type |
Private Security |
Public Security |
|
| 2016-05-04 13:17:43 |
Michael McCune |
sahara: assignee |
|
Michael McCune (mimccune) |
|
| 2016-05-04 13:17:50 |
Michael McCune |
sahara: importance |
Undecided |
Critical |
|
| 2016-05-04 13:18:19 |
Vitalii Gridnev |
sahara: milestone |
|
newton-1 |
|
| 2016-05-04 13:18:26 |
Vitalii Gridnev |
nominated for series |
|
sahara/mitaka |
|
| 2016-05-04 13:18:26 |
Vitalii Gridnev |
bug task added |
|
sahara/mitaka |
|
| 2016-05-04 13:18:26 |
Vitalii Gridnev |
nominated for series |
|
sahara/liberty |
|
| 2016-05-04 13:18:26 |
Vitalii Gridnev |
bug task added |
|
sahara/liberty |
|
| 2016-05-04 13:20:43 |
Vitalii Gridnev |
sahara: status |
New |
Confirmed |
|
| 2016-05-04 13:20:54 |
Vitalii Gridnev |
sahara/liberty: importance |
Undecided |
Critical |
|
| 2016-05-04 13:20:55 |
Vitalii Gridnev |
sahara/mitaka: importance |
Undecided |
Critical |
|
| 2016-05-04 13:20:58 |
Vitalii Gridnev |
sahara/liberty: status |
New |
Confirmed |
|
| 2016-05-04 13:21:01 |
Vitalii Gridnev |
sahara/mitaka: status |
New |
Confirmed |
|
| 2016-05-04 13:23:08 |
OpenStack Infra |
sahara: status |
Confirmed |
In Progress |
|
| 2016-05-04 13:27:54 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 |
When deploying clusters with the vanilla plugin, the Oozie[1] application must be configured to use a database for storing data related to the scheduling, running, and processing of Hadoop jobs. Oozie is the primary scheduler for jobs entering the Hadoop ecosystem through the vanilla plugin.
Sahara configures the credentials for Oozie to access its database, this can be seen in sahara/plugins/vanilla/hadoop2/oozie_helper.py [2]. These credentials are hardcoded, and use a weak password.
An intruder with access to the nodes of a cluster that is created by sahara with the vanilla plugin will have access to the database that backs the Oozie installation. With this access, the intruder could change the operational effects of Oozie to produce results other than expected, for example inserting new jobs or altering configurations associated with currently running jobs.
As sahara has ultimate control over the deployment and configuration of Oozie on nodes deployed in its clusters, this hardcoded password should be changed in favor of a random password that will be generated uniquely for each deployed cluster. Oozie uses the values associated with the configurations defined in [2] to create the credentials, this means that the change should be a matter of simply changing the source valueof the password for the Oozie user.
[1]: https://oozie.apache.org/
[2]: https://github.com/openstack/sahara/blob/master/sahara/plugins/vanilla/hadoop2/oozie_helper.py#L41 |
|
| 2016-05-04 13:30:55 |
Michael McCune |
sahara/liberty: assignee |
|
Michael McCune (mimccune) |
|
| 2016-05-04 13:31:02 |
Michael McCune |
sahara/mitaka: assignee |
|
Michael McCune (mimccune) |
|
| 2016-05-04 13:33:19 |
OpenStack Infra |
sahara/mitaka: status |
Confirmed |
In Progress |
|
| 2016-05-04 15:56:00 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2016-05-31 11:14:18 |
Vitalii Gridnev |
sahara: milestone |
newton-1 |
newton-2 |
|
| 2016-05-31 11:33:34 |
Vitalii Gridnev |
sahara: importance |
Critical |
High |
|
| 2016-05-31 11:33:37 |
Vitalii Gridnev |
sahara/liberty: importance |
Critical |
High |
|
| 2016-05-31 11:33:39 |
Vitalii Gridnev |
sahara/mitaka: importance |
Critical |
High |
|
| 2016-06-03 09:31:40 |
Vitalii Gridnev |
bug task deleted |
sahara/liberty |
|
|
| 2016-06-03 18:34:14 |
Vitalii Gridnev |
sahara/mitaka: status |
In Progress |
Confirmed |
|
| 2016-06-08 21:45:51 |
Vitalii Gridnev |
bug task deleted |
sahara/mitaka |
|
|
| 2016-06-14 14:58:08 |
Mikhail |
sahara: assignee |
Michael McCune (mimccune) |
Mikhail (mlelyakin) |
|
| 2016-07-07 21:40:26 |
Vitalii Gridnev |
sahara: milestone |
newton-2 |
newton-3 |
|
| 2016-08-02 13:01:46 |
OpenStack Infra |
sahara: status |
In Progress |
Fix Released |
|
