The Cassandra superuser on the AQS cluster is using the (obvious, well-known) default password.
Description
Description
Details
Details
- Risk Rating
- Low
- Author Affiliation
- WMF Technology Dept
Related Objects
Related Objects
Event Timeline
Comment Actions
I'll make a similar change to the private repo and apply it tomorrow, all being well. I might start with the old aqs servers, then promote it to the aqs_next servers once it's been shown to be harmless.
Comment Actions
I've now updated the private repo with cassandra::super_password entries for both aqs and aqs_next.
It turns out that this was all that was required and a puppet run does correctly update all of the /etc/cassandra-${instance}/cqlshrc files.
@Eevans - you can now read this file and then update the cassandra instances at your convenience. Is that OK, or would you prefer me to do it?
Comment Actions
@Eevans - if the creds have been rotated, I assume there are no other issues in making this task public?