You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Kat Petre (JIRA)" <ji...@apache.org> on 2017/05/07 08:58:04 UTC
[jira] [Created] (AMBARI-20949) Securing the root account for mysql
shouldn't be an advanced feature
Kat Petre created AMBARI-20949:
----------------------------------
Summary: Securing the root account for mysql shouldn't be an advanced feature
Key: AMBARI-20949
URL: https://issues.apache.org/jira/browse/AMBARI-20949
Project: Ambari
Issue Type: Improvement
Components: ambari-sever
Affects Versions: 2.4.2
Environment: *
Reporter: Kat Petre
Ambari server does a nice job at installing the internal mysql db and creating the service [i.e: hive] databases in a secure manner.
```
[noobie@hdp-2 ~]: mysql -uhive
ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using password: NO)
```
However, the mysql root account is wide open.
```
[noobie@hdp-2 ~]: mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
```
In the spirit of secure by default, it would be nice if the installer prompted the users to secure their mysql root password, without needing to go into advanced configurations.
Might also want to send users a gentile reminder the should manually secure their mysql database, if they used the default settings.
CVSS would classify this as "important impact" https://access.redhat.com/security/updates/classification
For what it's worth, securing mysql is relatively painless.
https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)