Kat Petre created AMBARI-20949:
----------------------------------
Summary: Securing the root account for mysql shouldn't be an
advanced feature
Key: AMBARI-20949
URL: https://issues.apache.org/jira/browse/AMBARI-20949
Project: Ambari
Issue Type: Improvement
Components: ambari-sever
Affects Versions: 2.4.2
Environment: *
Reporter: Kat Petre
Ambari server does a nice job at installing the internal mysql db and creating
the service [i.e: hive] databases in a secure manner.
```
[noobie@hdp-2 ~]: mysql -uhive
ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using password:
NO)
```
However, the mysql root account is wide open.
```
[noobie@hdp-2 ~]: mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
```
In the spirit of secure by default, it would be nice if the installer prompted
the users to secure their mysql root password, without needing to go into
advanced configurations.
Might also want to send users a gentile reminder the should manually secure
their mysql database, if they used the default settings.
CVSS would classify this as "important impact"
https://access.redhat.com/security/updates/classification
For what it's worth, securing mysql is relatively painless.
https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
