[james-page,r=gnuoy,r=dosaboy] Fix grant race in access-network configurations.
Ensure that access is not granted until a remote IP address is presented that is in the CIDR for access-network.
This commit is contained in:
commit
8e9ad2a51c
|
@ -429,6 +429,9 @@ def shared_db_changed(relation_id=None, unit=None):
|
|||
access_network = config('access-network')
|
||||
db_helper = get_db_helper()
|
||||
|
||||
peer_store_and_set(relation_id=relation_id,
|
||||
relation_settings={'access-network': access_network})
|
||||
|
||||
singleset = set(['database', 'username', 'hostname'])
|
||||
if singleset.issubset(settings):
|
||||
# Process a single database configuration
|
||||
|
@ -436,6 +439,15 @@ def shared_db_changed(relation_id=None, unit=None):
|
|||
database = settings['database']
|
||||
username = settings['username']
|
||||
|
||||
normalized_address = get_host_ip(hostname)
|
||||
if access_network and not is_address_in_network(access_network,
|
||||
normalized_address):
|
||||
# NOTE: for configurations using access-network, only setup
|
||||
# database access if remote unit has presented a
|
||||
# hostname or ip address thats within the configured
|
||||
# network cidr
|
||||
return
|
||||
|
||||
# NOTE: do this before querying access grants
|
||||
password = configure_db_for_hosts(hostname, database, username,
|
||||
db_helper)
|
||||
|
@ -485,6 +497,16 @@ def shared_db_changed(relation_id=None, unit=None):
|
|||
hostname = databases[db]['hostname']
|
||||
username = databases[db]['username']
|
||||
|
||||
normalized_address = get_host_ip(hostname)
|
||||
if (access_network and
|
||||
not is_address_in_network(access_network,
|
||||
normalized_address)):
|
||||
# NOTE: for configurations using access-network,
|
||||
# only setup database access if remote unit
|
||||
# has presented a hostname or ip address
|
||||
# thats within the configured network cidr
|
||||
return
|
||||
|
||||
# NOTE: do this before querying access grants
|
||||
password = configure_db_for_hosts(hostname, database, username,
|
||||
db_helper)
|
||||
|
@ -509,9 +531,6 @@ def shared_db_changed(relation_id=None, unit=None):
|
|||
else:
|
||||
log("No return data - not setting relation settings", level=DEBUG)
|
||||
|
||||
peer_store_and_set(relation_id=relation_id,
|
||||
relation_settings={'access-network': access_network})
|
||||
|
||||
|
||||
@hooks.hook('ha-relation-joined')
|
||||
def ha_relation_joined():
|
||||
|
|
Loading…
Reference in New Issue