The configuration repository supplies well known default passwords for services, typically defined in the defaults/main.yml file for any particular role. By convention all such passwords have a name that clearly indicates they are passwords, typically ROLE_PURPOSE_PASSWORD.
It's incumbent upon you to ensure that these values are overridden if you are deploying a non-development environment. There are real world examples for folks losing their data because they had neither updated default password, nor ensured that access to services was blocked at the network.
Please do both and if you have questions about how to do so, ask on slack.
Randomly Generated Passwords for New Deployments
One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible. Ansible let's you pass in a file of overrides using the -e@/path/to/file.yml convention.
As of January 6, 2017, we recommend that you override at least the following values:
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null
ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null
ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null
COMMON_HTPASSWD_PASS: !!null
COMMON_HTPASSWD_USER: !!null
COMMON_MONGO_READ_ONLY_PASS: !!null
COMMON_MYSQL_ADMIN_PASS: !!null
COMMON_MYSQL_MIGRATE_PASS: !!null
COMMON_MYSQL_READ_ONLY_PASS: !!null
CREDENTIALS_MYSQL_PASSWORD: !!null
DISCOVERY_EMAIL_HOST_PASSWORD: !!null
DISCOVERY_MYSQL_PASSWORD: !!null
ECOMMERCE_BROKER_PASSWORD: !!null
ECOMMERCE_DATABASE_PASSWORD: !!null
ECOMMERCE_WORKER_BROKER_PASSWORD: !!null
EDXAPP_CELERY_PASSWORD: !!null
EDXAPP_COMMENTS_SERVICE_KEY: !!null
EDXAPP_EMAIL_HOST_PASSWORD: !!null
EDXAPP_MONGO_PASSWORD: !!null
EDXAPP_MYSQL_CSMH_PASSWORD: !!null
EDXAPP_MYSQL_PASSWORD: !!null
EDXAPP_MYSQL_PASSWORD_ADMIN: !!null
EDXAPP_MYSQL_PASSWORD_READ_ONLY: !!null
EDXAPP_MYSQL_REPLICA_PASSWORD: !!null
FLOWER_BROKER_PASSWORD: !!null
FORUM_API_KEY: !!null
FORUM_MONGO_PASSWORD: !!null
HIVE_METASTORE_DATABASE_PASSWORD: !!null
INSIGHTS_DATABASE_PASSWORD: !!null
INSIGHTS_EMAIL_HOST_PASSWORD: !!null
JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: !!null
JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: !!null
MARIADB_CLUSTER_PASSWORD_ADMIN: !!null
MONGO_ADMIN_PASSWORD: !!null
mongo_admin_password: {{ MONGO_ADMIN_PASSWORD }}
NOTIFIER_COMMENT_SERVICE_API_KEY: {{ FORUM_API_KEY }}
NOTIFIER_EMAIL_PASS: !!null
NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null
POSTFIX_QUEUE_EXTERNAL_SMTP_PASSWORD: !!null
PROGRAMS_DATABASE_PASSWORD: !!null
REDIS_PASSWORD: !!null
SPLUNKFORWARDER_PASSWORD: !!null
SPLUNK_SMTP_PASSWORD: !!null
SPLUNK_SSL_PASSWORD: !!null
SWIFT_LOG_SYNC_PASSWORD: !!null
XQUEUE_BASIC_AUTH_PASSWORD: !!null
XQUEUE_BASIC_AUTH_USER: !!null
XQUEUE_MYSQL_PASSWORD: !!null
XQUEUE_RABBITMQ_PASS: !!null
XSY_PASSWORD: !!null
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
while read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo $line | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml
This creates a new file named my-passwords.yml, and its content should look something like the following:
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII' ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo' ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ' COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb' COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ' COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh' COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2' COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf' COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU'
Keep the my-passwords.yml file in a safe location, ideally encrypted – you can potentially use Ansible vault for this.
When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.
Doing this on an already running system is another matter entirely. It's possible, but will require more specific expertise around managing MySQL, MongoDB, RabbitMQ and ElasticSearch
Network Access
We strongly recommend that you review the ports that are exposed on your hosts regularly.
Running the following command from a host that is public from the point of view of your OPENEDx instance is useful
nmap -Pn -p- edx.mydomain.info
The fewer ports that are open the better. You should be concerned if more than 443 and 22 are open. Ideally 22, ssh, would also be limited to networks that you control.