You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Kat Petre (JIRA)" <ji...@apache.org> on 2017/05/07 08:58:04 UTC

[jira] [Created] (AMBARI-20949) Securing the root account for mysql shouldn't be an advanced feature

Kat Petre created AMBARI-20949:
----------------------------------

             Summary: Securing the root account for mysql shouldn't be an advanced feature 
                 Key: AMBARI-20949
                 URL: https://issues.apache.org/jira/browse/AMBARI-20949
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-sever
    Affects Versions: 2.4.2
         Environment: *
            Reporter: Kat Petre


Ambari server does a nice job at installing the internal mysql db and creating the service [i.e: hive] databases in a secure manner. 
```
[noobie@hdp-2 ~]: mysql -uhive
ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using password: NO)
```
However, the mysql root account is wide open. 
```
[noobie@hdp-2 ~]: mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
```

In the spirit of secure by default, it would be nice if the installer prompted the users to secure their mysql root password, without needing to go into advanced configurations.  


Might also want to send users a gentile reminder the should manually secure their mysql database, if they used the default settings.
CVSS would classify this as "important impact" https://access.redhat.com/security/updates/classification 

For what it's worth, securing mysql is relatively painless. 
https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)