Default Fuel Master password
Decrease possibility to access the cloud using default credentials
We use default credentials for Fuel Master which are admin/admin.
The vulnerability can be exploited to get access to the cloud by the intruder.
- We will leave default credentials (admin/admin) to save custom scripts
compatibility which is relying on this. End User will be notified about
the risk it brings and be advised to change the password.
- User will be notified periodically until the default
- Password will be checked on every login. If it equals to “admin”,
warning box will be shown on WebUI.
- User will be ask (not forced) to change default password in Fuel Menu
- Fuel User screen will be the first screen user will see after
Fuel Menu opened and also it’s position in left menu will be changed to 1.
- There will be non-intrusive warning (above password input fields)
suggesting to change the password.
- We could listen to keystone events to catch “authorization” event, but:
- it requires to spawn another daemon which would listen to the events,
and it’s too complex solution for such simple feature.
- We could force End User to change password at some stage of Fuel Master
- it is very secure but we do not want to force user to do anything so we
give a choice whether to change it or not.
- We could generate random password instead of “admin”, but:
- How to provide the password to End User in secure way?
- How to save compatibility with existing scripts?
The feature is intended to improve End User’s security in matter of
unauthorized access to the cloud
Other end user impact
Other deployer impact
- add password checker to login view in WebUI
- add new warning box
- add waring in Fuel User screen (in Fuel Menu) and change it’s position
in left menu to 1.
- check if warning box is visible after logging in using password ‘admin’
- add default password checking to ostf tests in Health Check
- warning box should be shown after logging in using ‘admin’ password