[
https://issues.apache.org/jira/browse/AMBARI-20949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kat Petre updated AMBARI-20949:
-------------------------------
Description:
Ambari server does a nice job at installing the internal mysql db and creating
the service [i.e: hive] databases in a secure manner.
{code:java}
[noobie@hdp-2 ~]: mysql -uhive
ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using password:
NO){code}
However, the mysql root account is wide open.
{code:java}
[noobie@hdp-2 ~]: mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.{code}
In the spirit of secure by default, it would be nice if the installer prompted
the users to secure their mysql root password, without needing to go into
advanced configurations.
Might also want to send users a gentile reminder the should manually secure
their mysql database, if they used the default settings.
CVSS would classify this as "important impact"
[https://access.redhat.com/security/updates/classification]
For what it's worth, securing mysql is relatively painless.
[https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html]
was:
Ambari server does a nice job at installing the internal mysql db and creating
the service [i.e: hive] databases in a secure manner.
```
[noobie@hdp-2 ~]: mysql -uhive
ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using password:
NO)
```
However, the mysql root account is wide open.
```
[noobie@hdp-2 ~]: mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
```
In the spirit of secure by default, it would be nice if the installer prompted
the users to secure their mysql root password, without needing to go into
advanced configurations.
Might also want to send users a gentile reminder the should manually secure
their mysql database, if they used the default settings.
CVSS would classify this as "important impact"
https://access.redhat.com/security/updates/classification
For what it's worth, securing mysql is relatively painless.
https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html
> Securing the root account for mysql shouldn't be an advanced feature
> ---------------------------------------------------------------------
>
> Key: AMBARI-20949
> URL: https://issues.apache.org/jira/browse/AMBARI-20949
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Affects Versions: 2.4.2
> Environment: *
> Reporter: Kat Petre
> Priority: Major
>
> Ambari server does a nice job at installing the internal mysql db and
> creating the service [i.e: hive] databases in a secure manner.
> {code:java}
> [noobie@hdp-2 ~]: mysql -uhive
> ERROR 1045 (28000): Access denied for user 'hive'@'localhost' (using
> password: NO){code}
> However, the mysql root account is wide open.
> {code:java}
> [noobie@hdp-2 ~]: mysql -uroot
> Welcome to the MySQL monitor. Commands end with ; or \g.{code}
> In the spirit of secure by default, it would be nice if the installer
> prompted the users to secure their mysql root password, without needing to go
> into advanced configurations.
> Might also want to send users a gentile reminder the should manually secure
> their mysql database, if they used the default settings.
> CVSS would classify this as "important impact"
> [https://access.redhat.com/security/updates/classification]
> For what it's worth, securing mysql is relatively painless.
> [https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
