Page MenuHomePhabricator
Create Task
Maniphest T170066

MySQL password for research@analytics-store.eqiad.wmnet publicly revealed
Closed, ResolvedPublic
Actions

Description

The password for the research user on the analytics-store database was publicly pasted in T170052: Access rights for HDFS on stat100* for Sqoop tasks. Kudos to @Peachey88 to for noticing.

I confirmed this was the real password by logging into tin and trying to connect through mysql.

Related Objects

Event Timeline

Legoktm created this task.Jul 9 2017, 3:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2017, 3:19 AM
Legoktm added a project: DBA.Jul 9 2017, 3:19 AM
Legoktm mentioned this in T170052: Access rights for HDFS on stat100* for Sqoop tasks.
Legoktm updated the task description. (Show Details)Jul 9 2017, 3:28 AM
Peachey88 moved this task from Backlog / Other to Other WMF team on the acl*security board.Jul 9 2017, 6:45 AM
elukey added a project: Analytics.Jul 9 2017, 7:23 AM
elukey subscribed.
Marostegui added subscribers: jcrespo, Marostegui.EditedJul 9 2017, 9:26 AM

@jcrespo @elukey I assume we have to change the password at:

private: modules/passwords/manifests/init.pp

For the research mysql user there.
The password on the pw repo for: research.mysql doesn't match the one on the init.pp (which seems like the correct one though as per the hash) so not sure if we have to update that one too or if that one is old.

And then manually change it on dbstore1002 and db1047 (research user isn't at db1046). Is there anything else that needs changing?

SET PASSWORD FOR 'research'@'%' = PASSWORD('newpass');
elukey added a comment.EditedJul 9 2017, 11:10 AM

Modified the password manually on dbstore1002 and db1047, plus updated the private puppet repo (init.pp) with the new password.

Marostegui moved this task from Triage to Done on the DBA board.Jul 10 2017, 5:23 AM
Peachey88 added a project: Wikimedia-Incident.Jul 11 2017, 7:21 AM
Peachey88 moved this task from Active investigation to Follow-up prevention on the Wikimedia-Incident board.
Legoktm added a comment.Jul 11 2017, 6:24 PM

Is there anything else left to do here?

Marostegui added a comment.Jul 11 2017, 7:21 PM

I don't think so

Legoktm closed this task as Resolved.Jul 11 2017, 7:43 PM
Legoktm assigned this task to elukey.
Legoktm removed a project: acl*security.
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Restricted Application added a project: acl*security. · View Herald TranscriptJul 11 2017, 7:43 PM
Addshore mentioned this in T170282: Grafana is not updated since 2017-07-09.Jul 12 2017, 9:42 AM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Krinkle edited projects, added Sustainability (Incident Followup); removed Wikimedia-Incident.Apr 28 2020, 9:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL