tripleo

tripleoclient leaves Rabbit MQ with default Userid and password

Bug #1557688 reported by Adam Young on 2016-03-15
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Juan Antonio Osorio Robles
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Rabbit MQ is the backbone between the services, and as such should be secured. In a default deployment, the UserID and password used by all services is: Guest /Guest.

As a workaround, values can be set in the yaml file passed in to openstack overcloud deploy. For example.

 RabbitUserName: fubar
 RabbitPassword: fumtu

At a minimum, the Password value should be defaulted to a uuidgen -r based random value

See original description
Adam Young (ayoung) on 2016-03-15
summary: - tripleioclient leaves Rabbit MQ with default Userid and password
+ tripleoclient leaves Rabbit MQ with default Userid and password
information type: Private Security → Public Security
description: updated
Juan Antonio Osorio Robles (juan-osorio-robles) on 2016-03-16
Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/293327

Changed in tripleo:
status: New → In Progress
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/293344

OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (master)

Reviewed: https://review.openstack.org/293327
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=309eef1005885ba8d90a2d3f7afea572ec57fc82
Submitter: Jenkins
Branch: master

commit 309eef1005885ba8d90a2d3f7afea572ec57fc82
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 16 11:05:17 2016 +0200

    Pass RabbitMQ's password from the client

    In the tripleo templates the RabbitMQ password is set as
    the default but can be overriden. It's not a good security pratice to
    use that default so this change enables the autogeneration of
    that parameter.

    Bug: #1557688
    Change-Id: I9c2f2b82ab2780ff325f90f5e038f3b7f3b5cf61

Changed in tripleo:
status: In Progress → Fix Released
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/293870

OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-tripleoclient (stable/liberty)

Change abandoned by Juan Antonio Osorio Robles (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/293870
Reason: temporarily abandoning this.

OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/293344
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=279376fe10d40471614822ddc0a5c151eb886863
Submitter: Jenkins
Branch: master

commit 279376fe10d40471614822ddc0a5c151eb886863
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 16 11:47:14 2016 +0200

    Remove default for the RabbitMQ password

    Since the password is now autogenerated from the tripleoclient,
    there is no need to keep the default value here.

    Change-Id: If41cb56134966456f8590da04f392faffe5c62a1
    Closes-Bug: #1557688

OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (stable/liberty)

Reviewed: https://review.openstack.org/293870
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=7a2c7e7b04fa4ba385b92c3c6fe7598f400176e0
Submitter: Jenkins
Branch: stable/liberty

commit 7a2c7e7b04fa4ba385b92c3c6fe7598f400176e0
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 16 11:05:17 2016 +0200

    Pass RabbitMQ's password from the client

    In the tripleo templates the RabbitMQ password is set as
    the default but can be overriden. It's not a good security pratice to
    use that default so this change enables the autogeneration of
    that parameter.

    Conflicts:
        tripleoclient/tests/test_utils.py
        tripleoclient/tests/v1/utils.py

    Bug: #1557688
    Change-Id: I9c2f2b82ab2780ff325f90f5e038f3b7f3b5cf61
    (cherry picked from commit 309eef1005885ba8d90a2d3f7afea572ec57fc82)

tags: added: in-stable-liberty
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers