Allow root mysql within environment
* Allow connections to mysql as root only from IP-addresses within environment * Updated direct_networks function * Provided and updated noop tests Closes-Bug: 1471956 Change-Id: Ia873292d6b05f612642e055d1d0dc156a863bc34
This commit is contained in:
parent
99a4eafcb0
commit
91d2429d59
@ -4,19 +4,49 @@ directly attached to the host
|
|||||||
EOS
|
EOS
|
||||||
) do |argv|
|
) do |argv|
|
||||||
endpoints = argv[0]
|
endpoints = argv[0]
|
||||||
|
filter = argv[1]
|
||||||
|
netmask = argv[2]
|
||||||
networks = []
|
networks = []
|
||||||
|
|
||||||
endpoints.each{ |k,v|
|
class IPAddr
|
||||||
if v.has_key?('IP') and v['IP'].is_a?(Array)
|
def mask_length
|
||||||
v['IP'].each { |ip|
|
@mask_addr.to_s(2).count '1'
|
||||||
networks << IPAddr.new(ip).to_s + "/" + ip.split('/')[1]
|
|
||||||
}
|
|
||||||
end
|
end
|
||||||
if v.has_key?('routes') and v['routes'].is_a?(Array)
|
|
||||||
v['routes'].each { |route|
|
def cidr_to_netmask(cidr)
|
||||||
networks << route['net']
|
IPAddr.new('255.255.255.255').mask(cidr).to_s
|
||||||
}
|
|
||||||
end
|
end
|
||||||
}
|
|
||||||
|
def cidr
|
||||||
|
"#{to_s}/#{mask_length}"
|
||||||
|
end
|
||||||
|
|
||||||
|
def netmask
|
||||||
|
cidr = "#{mask_length}"
|
||||||
|
"#{to_s}/#{cidr_to_netmask(cidr)}"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
endpoints.each do |interface, parameters|
|
||||||
|
next unless parameters.has_key? 'IP' and parameters['IP'].is_a? Array
|
||||||
|
next if filter and interface != filter
|
||||||
|
parameters['IP'].each do |ip|
|
||||||
|
next unless ip
|
||||||
|
if netmask and netmask == 'netmask'
|
||||||
|
networks << IPAddr.new(ip).netmask
|
||||||
|
else
|
||||||
|
networks << IPAddr.new(ip).cidr
|
||||||
|
end
|
||||||
|
end
|
||||||
|
next unless parameters.has_key? 'routes' and parameters['routes'].is_a? Array
|
||||||
|
parameters['routes'].each do |route|
|
||||||
|
next unless route.has_key? 'net'
|
||||||
|
if netmask and netmask == 'netmask'
|
||||||
|
networks << IPAddr.new(route['net']).netmask
|
||||||
|
else
|
||||||
|
networks << IPAddr.new(route['net']).cidr
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
return networks.join(' ')
|
return networks.join(' ')
|
||||||
end
|
end
|
||||||
|
17
deployment/puppet/osnailyfacter/manifests/mysql_grant.pp
Normal file
17
deployment/puppet/osnailyfacter/manifests/mysql_grant.pp
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# == Class definition osnailyfacter::mysql_grant
|
||||||
|
#
|
||||||
|
# Class for mysql grant permissions
|
||||||
|
#
|
||||||
|
# [*user*]
|
||||||
|
# Mysql username
|
||||||
|
#
|
||||||
|
# [*network*]
|
||||||
|
# Array of specific IPs or Networks or Hostnames
|
||||||
|
# to access the database with user
|
||||||
|
#
|
||||||
|
define osnailyfacter::mysql_grant ( $user = '',
|
||||||
|
$network = $name ) {
|
||||||
|
exec { "mysql_${user}_${network}":
|
||||||
|
command => "mysql -NBe \"grant all on *.* to \'${user}\'@\'${network}\' with grant option\"",
|
||||||
|
}
|
||||||
|
}
|
@ -1,41 +0,0 @@
|
|||||||
# == Class osnailyfacter::mysql_root
|
|
||||||
#
|
|
||||||
# Class for root grant permissions
|
|
||||||
#
|
|
||||||
# [*password*]
|
|
||||||
# Password to use with root user
|
|
||||||
#
|
|
||||||
class osnailyfacter::mysql_root (
|
|
||||||
$password = '',
|
|
||||||
) {
|
|
||||||
|
|
||||||
Exec {
|
|
||||||
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
|
|
||||||
creates => '/root/.my.cnf',
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { 'mysql_drop_test' :
|
|
||||||
command => "mysql -NBe \"drop database if exists test\"",
|
|
||||||
} ->
|
|
||||||
|
|
||||||
exec { 'mysql_root_%' :
|
|
||||||
command => "mysql -NBe \"grant all on *.* to 'root'@'%' with grant option\"",
|
|
||||||
} ->
|
|
||||||
|
|
||||||
exec { 'mysql_root_localhost' :
|
|
||||||
command => "mysql -NBe \"grant all on *.* to 'root'@'localhost' with grant option\"",
|
|
||||||
} ->
|
|
||||||
|
|
||||||
exec { 'mysql_root_127.0.0.1' :
|
|
||||||
command => "mysql -NBe \"grant all on *.* to 'root'@'127.0.0.1' with grant option\"",
|
|
||||||
} ->
|
|
||||||
|
|
||||||
exec { 'mysql_root_password' :
|
|
||||||
command => "mysql -NBe \"update mysql.user set password = password('${password}') where user = 'root'\"",
|
|
||||||
} ->
|
|
||||||
|
|
||||||
exec { 'mysql_flush_privileges' :
|
|
||||||
command => "mysql -NBe \"flush privileges\"",
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
43
deployment/puppet/osnailyfacter/manifests/mysql_user.pp
Normal file
43
deployment/puppet/osnailyfacter/manifests/mysql_user.pp
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
# == Class osnailyfacter::mysql_user
|
||||||
|
#
|
||||||
|
# Class for mysql user creation and grant permissions
|
||||||
|
#
|
||||||
|
# [*user*]
|
||||||
|
# (optional) Mysql user name. Default 'root'
|
||||||
|
#
|
||||||
|
# [*password*]
|
||||||
|
# Password to use with mysql user
|
||||||
|
#
|
||||||
|
# [*access_networks*]
|
||||||
|
# Array of specific IPs or Networks or Hostnames
|
||||||
|
# to access the database with mysql user.
|
||||||
|
# Default '127.0.0.1'
|
||||||
|
#
|
||||||
|
class osnailyfacter::mysql_user (
|
||||||
|
$user = 'root',
|
||||||
|
$password = '',
|
||||||
|
$access_networks = '127.0.0.1',
|
||||||
|
) {
|
||||||
|
|
||||||
|
Exec {
|
||||||
|
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
|
||||||
|
creates => '/root/.my.cnf',
|
||||||
|
}
|
||||||
|
|
||||||
|
exec { 'mysql_drop_test' :
|
||||||
|
command => "mysql -NBe \"drop database if exists test\"",
|
||||||
|
} ->
|
||||||
|
|
||||||
|
osnailyfacter::mysql_grant { $access_networks:
|
||||||
|
user => $user,
|
||||||
|
} ->
|
||||||
|
|
||||||
|
exec { "mysql_${user}_password" :
|
||||||
|
command => "mysql -NBe \"update mysql.user set password = password('${password}') where user = \'${user}\'\"",
|
||||||
|
} ->
|
||||||
|
|
||||||
|
exec { 'mysql_flush_privileges' :
|
||||||
|
command => "mysql -NBe \"flush privileges\"",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -8,6 +8,10 @@ $mysql_hash = hiera_hash('mysql', {})
|
|||||||
$management_vip = hiera('management_vip')
|
$management_vip = hiera('management_vip')
|
||||||
$database_vip = hiera('database_vip', $management_vip)
|
$database_vip = hiera('database_vip', $management_vip)
|
||||||
|
|
||||||
|
$network_scheme = hiera('network_scheme', {})
|
||||||
|
$direct_networks = split(direct_networks($network_scheme['endpoints'], 'br-mgmt', 'netmask'), ' ')
|
||||||
|
$access_networks = flatten(['localhost', '127.0.0.1', $direct_networks])
|
||||||
|
|
||||||
$haproxy_stats_port = '10000'
|
$haproxy_stats_port = '10000'
|
||||||
$haproxy_stats_url = "http://${database_vip}:${haproxy_stats_port}/;csv"
|
$haproxy_stats_url = "http://${database_vip}:${haproxy_stats_port}/;csv"
|
||||||
|
|
||||||
@ -71,8 +75,9 @@ if $enabled {
|
|||||||
config_hash => $config_hash_real,
|
config_hash => $config_hash_real,
|
||||||
}
|
}
|
||||||
|
|
||||||
class { 'osnailyfacter::mysql_root':
|
class { 'osnailyfacter::mysql_user':
|
||||||
password => $mysql_database_password,
|
password => $mysql_database_password,
|
||||||
|
access_networks => $direct_networks,
|
||||||
}
|
}
|
||||||
|
|
||||||
exec { 'initial_access_config':
|
exec { 'initial_access_config':
|
||||||
@ -114,7 +119,7 @@ if $enabled {
|
|||||||
|
|
||||||
Package['socat'] ->
|
Package['socat'] ->
|
||||||
Class['mysql::server'] ->
|
Class['mysql::server'] ->
|
||||||
Class['osnailyfacter::mysql_root'] ->
|
Class['osnailyfacter::mysql_user'] ->
|
||||||
Exec['initial_access_config'] ->
|
Exec['initial_access_config'] ->
|
||||||
Class['openstack::galera::status'] ->
|
Class['openstack::galera::status'] ->
|
||||||
Haproxy_backend_status['mysql'] ->
|
Haproxy_backend_status['mysql'] ->
|
||||||
|
@ -4,44 +4,27 @@ manifest = 'cluster-haproxy/cluster-haproxy.pp'
|
|||||||
|
|
||||||
describe manifest do
|
describe manifest do
|
||||||
shared_examples 'catalog' do
|
shared_examples 'catalog' do
|
||||||
|
let(:endpoints) do
|
||||||
|
Noop.hiera('network_scheme', {}).fetch('endpoints', {})
|
||||||
|
end
|
||||||
|
|
||||||
networks = []
|
let(:scope) do
|
||||||
endpoints = Noop.hiera_structure 'network_scheme/endpoints'
|
scope = PuppetlabsSpec::PuppetInternals.scope
|
||||||
management_vip = Noop.hiera 'management_vip'
|
Puppet::Parser::Functions.autoloader.loadall unless scope.respond_to? :function_direct_networks
|
||||||
endpoints.each{ |k,v|
|
scope
|
||||||
if v['IP'].is_a?(Array)
|
end
|
||||||
v['IP'].each { |ip|
|
|
||||||
networks << IPAddr.new(ip).to_s + '/' + ip.split('/')[1]
|
|
||||||
}
|
|
||||||
end
|
|
||||||
if v.has_key?('routes') and v['routes'].is_a?(Array)
|
|
||||||
v['routes'].each { |route|
|
|
||||||
networks << route['net']
|
|
||||||
}
|
|
||||||
end
|
|
||||||
}
|
|
||||||
|
|
||||||
it "should delcare cluster::haproxy with other_networks set to #{networks.join(' ')}" do
|
let(:other_networks) do
|
||||||
should contain_class('cluster::haproxy').with(
|
scope.function_direct_networks [endpoints]
|
||||||
'other_networks' => networks.join(' '),
|
end
|
||||||
|
|
||||||
|
it "should delcare cluster::haproxy with correct other_networks" do
|
||||||
|
expect(subject).to contain_class('cluster::haproxy').with(
|
||||||
|
'other_networks' => other_networks,
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
it "should contain stats fragment and listen only on lo and #{management_vip}" do
|
|
||||||
should contain_concat__fragment('haproxy-stats').with_content(
|
|
||||||
%r{\n\s*bind\s+127\.0\.0\.1:10000\s*$\n}
|
|
||||||
)
|
|
||||||
should contain_concat__fragment('haproxy-stats').with_content(
|
|
||||||
%r{\n\s*bind\s+#{management_vip}:10000\s*\n}
|
|
||||||
)
|
|
||||||
end
|
|
||||||
it "should not contain stats enable for defaults and global section" do
|
|
||||||
should contain_concat__fragment('haproxy-base').without_content(
|
|
||||||
%r{\n\s*stats\s+enable\s*$\n}
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test_ubuntu_and_centos manifest
|
test_ubuntu_and_centos manifest
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -3,25 +3,25 @@ require 'shared-examples'
|
|||||||
manifest = 'cluster-vrouter/cluster-vrouter.pp'
|
manifest = 'cluster-vrouter/cluster-vrouter.pp'
|
||||||
|
|
||||||
describe manifest do
|
describe manifest do
|
||||||
shared_examples 'puppet catalogue' do
|
|
||||||
settings = Noop.fuel_settings
|
|
||||||
networks = []
|
|
||||||
settings['network_scheme']['endpoints'].each{ |k,v|
|
|
||||||
if v['IP'].is_a?(Array)
|
|
||||||
v['IP'].each { |ip|
|
|
||||||
networks << IPAddr.new(ip).to_s + "/" + ip.split('/')[1]
|
|
||||||
}
|
|
||||||
end
|
|
||||||
if v.has_key?('routes') and v['routes'].is_a?(Array)
|
|
||||||
v['routes'].each { |route|
|
|
||||||
networks << route['net']
|
|
||||||
}
|
|
||||||
end
|
|
||||||
}
|
|
||||||
|
|
||||||
it "should delcare cluster::vrouter_ocf with other_networks set to #{networks.join(' ')}" do
|
shared_examples 'catalog' do
|
||||||
should contain_class('cluster::vrouter_ocf').with(
|
let(:endpoints) do
|
||||||
'other_networks' => networks.join(' '),
|
Noop.hiera('network_scheme', {}).fetch('endpoints', {})
|
||||||
|
end
|
||||||
|
|
||||||
|
let(:scope) do
|
||||||
|
scope = PuppetlabsSpec::PuppetInternals.scope
|
||||||
|
Puppet::Parser::Functions.autoloader.loadall unless scope.respond_to? :function_direct_networks
|
||||||
|
scope
|
||||||
|
end
|
||||||
|
|
||||||
|
let(:other_networks) do
|
||||||
|
scope.function_direct_networks [endpoints]
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should delcare cluster::vrouter_ocf with correct other_networks" do
|
||||||
|
expect(subject).to contain_class('cluster::vrouter_ocf').with(
|
||||||
|
'other_networks' => other_networks,
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -4,15 +4,34 @@ manifest = 'database/database.pp'
|
|||||||
|
|
||||||
describe manifest do
|
describe manifest do
|
||||||
shared_examples 'catalog' do
|
shared_examples 'catalog' do
|
||||||
#nodes = Noop.hiera 'nodes'
|
let(:endpoints) do
|
||||||
it { should contain_class('mysql::server').that_comes_before('Class[osnailyfacter::mysql_root]') }
|
Noop.hiera('network_scheme', {}).fetch('endpoints', {})
|
||||||
|
end
|
||||||
|
|
||||||
|
let(:scope) do
|
||||||
|
scope = PuppetlabsSpec::PuppetInternals.scope
|
||||||
|
Puppet::Parser::Functions.autoloader.loadall unless scope.respond_to? :function_direct_networks
|
||||||
|
scope
|
||||||
|
end
|
||||||
|
|
||||||
|
let(:other_networks) do
|
||||||
|
scope.function_direct_networks [endpoints, 'br-mgmt', 'netmask']
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should delcare osnailyfacter::mysql_user with correct other_networks" do
|
||||||
|
expect(subject).to contain_class('osnailyfacter::mysql_user').with(
|
||||||
|
'user' => 'root',
|
||||||
|
'access_networks' => other_networks,
|
||||||
|
).that_comes_before('Exec[initial_access_config]')
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_class('mysql::server').that_comes_before('Osnailyfacter::Mysql_user') }
|
||||||
it { should contain_class('osnailyfacter::mysql_access') }
|
it { should contain_class('osnailyfacter::mysql_access') }
|
||||||
it { should contain_class('osnailyfacter::mysql_root').that_comes_before('Exec[initial_access_config]') }
|
|
||||||
it { should contain_class('openstack::galera::status').that_comes_before('Haproxy_backend_status[mysql]') }
|
it { should contain_class('openstack::galera::status').that_comes_before('Haproxy_backend_status[mysql]') }
|
||||||
it { should contain_haproxy_backend_status('mysql').that_comes_before('Class[osnailyfacter::mysql_access]') }
|
it { should contain_haproxy_backend_status('mysql').that_comes_before('Class[osnailyfacter::mysql_access]') }
|
||||||
it { should contain_package('socat').that_comes_before('Class[mysql::server]') }
|
it { should contain_package('socat').that_comes_before('Class[mysql::server]') }
|
||||||
end
|
|
||||||
|
|
||||||
|
end
|
||||||
test_ubuntu_and_centos manifest
|
test_ubuntu_and_centos manifest
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user