[
https://issues.apache.org/jira/browse/AMBARI-20949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Doroszlai, Attila updated AMBARI-20949:
---------------------------------------
Component/s: (was: ambari-sever)
ambari-server
> Securing the root account for mysql shouldn't be an advanced feature
> ---------------------------------------------------------------------
>
> Key: AMBARI-20949
> URL: https://issues.apache.org/jira/browse/AMBARI-20949
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Affects Versions: 2.4.2
> Environment: *
> Reporter: Kat Petre
>
> Ambari server does a nice job at installing the internal mysql db and
> creating the service [i.e: hive] databases in a secure manner.
> ```
> [noobie@hdp-2 ~]: mysql -uhive
> ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using
> password: NO)
> ```
> However, the mysql root account is wide open.
> ```
> [noobie@hdp-2 ~]: mysql -uroot
> Welcome to the MySQL monitor. Commands end with ; or \g.
> ```
> In the spirit of secure by default, it would be nice if the installer
> prompted the users to secure their mysql root password, without needing to go
> into advanced configurations.
> Might also want to send users a gentile reminder the should manually secure
> their mysql database, if they used the default settings.
> CVSS would classify this as "important impact"
> https://access.redhat.com/security/updates/classification
> For what it's worth, securing mysql is relatively painless.
> https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
