The configuration repository supplies well known default passwords for services, typically defined in the defaults/main.yml file for any particular role. By convention all such passwords have a name that clearly indicates they are passwords, typically ROLE_PURPOSE_PASSWORD.
It's incumbent upon you to ensure that these values are overridden if you are deploying a non-development environment. There are real world examples for folks losing their data because they had neither updated default password, nor ensured that access to services was blocked at the network.
Please do both and if you have questions about how to do so, ask on slack.
Randomly Generated Passwords for New Deployments
One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible. Ansible let's you pass in a file of overrides using the -e@/path/to/file.yml convention.
As of January 6, 2017, we recommend that you override at least the following values:
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null COMMON_HTPASSWD_PASS: !!null COMMON_HTPASSWD_USER: !!null COMMON_MONGO_READ_ONLY_PASS: !!null COMMON_MYSQL_ADMIN_PASS: !!null COMMON_MYSQL_MIGRATE_PASS: !!null COMMON_MYSQL_READ_ONLY_PASS: !!null CREDENTIALS_MYSQL_PASSWORD: !!null DISCOVERY_EMAIL_HOST_PASSWORD: !!null DISCOVERY_MYSQL_PASSWORD: !!null ECOMMERCE_BROKER_PASSWORD: !!null ECOMMERCE_DATABASE_PASSWORD: !!null ECOMMERCE_WORKER_BROKER_PASSWORD: !!null EDXAPP_CELERY_PASSWORD: !!null EDXAPP_COMMENTS_SERVICE_KEY: !!null EDXAPP_EMAIL_HOST_PASSWORD: !!null EDXAPP_MONGO_PASSWORD: !!null EDXAPP_MYSQL_CSMH_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD_ADMIN: !!null EDXAPP_MYSQL_PASSWORD_READ_ONLY: !!null EDXAPP_MYSQL_REPLICA_PASSWORD: !!null FLOWER_BROKER_PASSWORD: !!null FORUM_API_KEY: !!null FORUM_MONGO_PASSWORD: !!null HIVE_METASTORE_DATABASE_PASSWORD: !!null INSIGHTS_DATABASE_PASSWORD: !!null INSIGHTS_EMAIL_HOST_PASSWORD: !!null JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: !!null JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: !!null MARIADB_CLUSTER_PASSWORD_ADMIN: !!null MONGO_ADMIN_PASSWORD: !!null mongo_admin_password: {{ MONGO_ADMIN_PASSWORD }} NOTIFIER_COMMENT_SERVICE_API_KEY: {{ FORUM_API_KEY }} NOTIFIER_EMAIL_PASS: !!null NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null POSTFIX_QUEUE_EXTERNAL_SMTP_PASSWORD: !!null PROGRAMS_DATABASE_PASSWORD: !!null REDIS_PASSWORD: !!null SPLUNKFORWARDER_PASSWORD: !!null SPLUNK_SMTP_PASSWORD: !!null SPLUNK_SSL_PASSWORD: !!null SWIFT_LOG_SYNC_PASSWORD: !!null XQUEUE_BASIC_AUTH_PASSWORD: !!null XQUEUE_BASIC_AUTH_USER: !!null XQUEUE_MYSQL_PASSWORD: !!null XQUEUE_RABBITMQ_PASS: !!null XSY_PASSWORD: !!null
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
while read line; do REPLACE=$(< /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo $line | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml
The output should look something like the following:
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII' ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo' ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ' COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb' COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ' COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh' COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2' COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf' COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU'
Keep the my-passwords.yml file in a safe location, ideally encrypted – you can potentially use Ansible vault for this.
When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.
Doing this on an already running system is another matter entirely. It's possible, but will require more specific expertise around managing MySQL, MongoDB, RabbitMQ and ElasticSearch
Network Access
We strongly recommend that you review the ports that are exposed on your hosts regularly.
Running the following command from a host that is public from the point of view of your OPENEDx instance is useful
nmap -Pn -p- edx.mydomain.info
The fewer ports that are open the better. You should be concerned if more than 443 and 22 are open. Ideally 22, ssh, would also be limited to networks that you control.