From a4568f31e2e9d09c8f318a9d938c9a16f0da59ef Mon Sep 17 00:00:00 2001 From: Sophie Huang Date: Fri, 17 Jan 2020 22:29:27 +0000 Subject: [PATCH] Add audit user to Mariadb An audit user is added to Mariadb with only the SELECT permission to mysql database user table for database user audit purposes. Change-Id: I5d046dd263e0994fea66e69359931b7dba4a766c --- mariadb/templates/bin/_start.py.tpl | 70 ++++++++++++++----- .../templates/secret-dbaudit-password.yaml | 27 +++++++ mariadb/templates/statefulset.yaml | 9 +++ mariadb/values.yaml | 4 ++ 4 files changed, 92 insertions(+), 18 deletions(-) create mode 100644 mariadb/templates/secret-dbaudit-password.yaml diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl index f53cffb69..b20d55786 100644 --- a/mariadb/templates/bin/_start.py.tpl +++ b/mariadb/templates/bin/_start.py.tpl @@ -99,6 +99,12 @@ if check_env_var("MYSQL_DBSST_USERNAME"): mysql_dbsst_username = os.environ['MYSQL_DBSST_USERNAME'] if check_env_var("MYSQL_DBSST_PASSWORD"): mysql_dbsst_password = os.environ['MYSQL_DBSST_PASSWORD'] +if check_env_var("MYSQL_DBAUDIT_USERNAME"): + mysql_dbaudit_username = os.environ['MYSQL_DBAUDIT_USERNAME'] +else: + mysql_dbaudit_username = '' +if check_env_var("MYSQL_DBAUDIT_PASSWORD"): + mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD'] if mysql_dbadmin_username == mysql_dbsst_username: logger.critical( @@ -258,16 +264,31 @@ def mysqld_bootstrap(): 'mysql_install_db', '--user=mysql', "--datadir={0}".format(mysql_data_dir) ], logger) - template = ( - "DELETE FROM mysql.user ;\n" - "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" - "DROP DATABASE IF EXISTS test ;\n" - "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" - "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" - "FLUSH PRIVILEGES ;\n" - "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, - mysql_dbsst_username, mysql_dbsst_password)) + if not mysql_dbaudit_username: + template = ( + "DELETE FROM mysql.user ;\n" + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "DROP DATABASE IF EXISTS test ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "FLUSH PRIVILEGES ;\n" + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password)) + else: + template = ( + "DELETE FROM mysql.user ;\n" + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "DROP DATABASE IF EXISTS test ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n" + "GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n" + "FLUSH PRIVILEGES ;\n" + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password, + mysql_dbaudit_username, mysql_dbaudit_password)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) @@ -731,14 +752,27 @@ def run_mysqld(cluster='existing'): db_test_dir = "{0}/mysql".format(mysql_data_dir) if os.path.isdir(db_test_dir): logger.info("Setting the admin passwords to the current value") - template = ( - "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" - "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" - "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" - "FLUSH PRIVILEGES ;\n" - "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, - mysql_dbsst_username, mysql_dbsst_password)) + if not mysql_dbaudit_username: + template = ( + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "FLUSH PRIVILEGES ;\n" + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password)) + else: + template = ( + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n" + "GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n" + "FLUSH PRIVILEGES ;\n" + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password, + mysql_dbaudit_username, mysql_dbaudit_password)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) diff --git a/mariadb/templates/secret-dbaudit-password.yaml b/mariadb/templates/secret-dbaudit-password.yaml new file mode 100644 index 000000000..f3ca5bc0e --- /dev/null +++ b/mariadb/templates/secret-dbaudit-password.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2020 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_dbaudit_password }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-dbaudit-password +type: Opaque +data: + MYSQL_DBAUDIT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.audit.password | b64enc }} +{{- end }} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index ba344b2e1..03be6f47e 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -163,6 +163,15 @@ spec: secretKeyRef: name: mariadb-dbsst-password key: MYSQL_DBSST_PASSWORD + {{- if .Values.endpoints.oslo_db.auth.audit.username }} + - name: MYSQL_DBAUDIT_USERNAME + value: {{ .Values.endpoints.oslo_db.auth.audit.username }} + - name: MYSQL_DBAUDIT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-dbaudit-password + key: MYSQL_DBAUDIT_PASSWORD + {{- end }} ports: - name: mysql protocol: TCP diff --git a/mariadb/values.yaml b/mariadb/values.yaml index 7e766d806..c4adbd55f 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -462,6 +462,9 @@ endpoints: sst: username: sst password: password + audit: + username: audit + password: password exporter: username: exporter password: password @@ -532,6 +535,7 @@ manifests: pod_test: true secret_dbadmin_password: true secret_sst_password: true + secret_dbaudit_password: true secret_etc: true service_discovery: true service_ingress: true