From 83653d442e6e009fa75233eae80e0914e41de912 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 18 Oct 2016 12:17:33 +0300 Subject: [PATCH] Add tls options to mysql user creation This enables us to set several TLS requirements for the users created by the host_access resource. Change-Id: If550f184f85f8fdbc197fc9f930d4446de67090a --- manifests/db/mysql.pp | 6 +++++ manifests/db/mysql/host_access.pp | 6 +++++ metadata.json | 2 +- ...-mysql-user-creation-172536d7f3963ce2.yaml | 6 +++++ .../openstacklib_db_mysql_host_access_spec.rb | 3 ++- spec/defines/openstacklib_db_mysql_spec.rb | 22 ++++++++++++++++--- 6 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/Add-TLS-options-for-mysql-user-creation-172536d7f3963ce2.yaml diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index dc70b5bd..c0514b4c 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -46,6 +46,10 @@ # setup. Set to false to skip the user creation. # Defaults to true. # +# [*tls_options*] +# The TLS options that the user will have +# Defaults to ['NONE'] +# define openstacklib::db::mysql ( $password_hash, $dbname = $title, @@ -57,6 +61,7 @@ define openstacklib::db::mysql ( $privileges = 'ALL', $create_user = true, $create_grant = true, + $tls_options = ['NONE'], ) { include ::mysql::server @@ -80,6 +85,7 @@ define openstacklib::db::mysql ( privileges => $privileges, create_user => $create_user, create_grant => $create_grant, + tls_options => $tls_options, } } } diff --git a/manifests/db/mysql/host_access.pp b/manifests/db/mysql/host_access.pp index 8487b653..bd1ee99a 100644 --- a/manifests/db/mysql/host_access.pp +++ b/manifests/db/mysql/host_access.pp @@ -27,6 +27,10 @@ # setup. Set to false to skip the user creation. # Defaults to true. # +# [*tls_options*] +# The TLS options that the user will have +# Defaults to ['NONE'] +# define openstacklib::db::mysql::host_access ( $user, $password_hash, @@ -34,6 +38,7 @@ define openstacklib::db::mysql::host_access ( $privileges, $create_user = true, $create_grant = true, + $tls_options = ['NONE'], ) { validate_re($title, '_', 'Title must be $dbname_$host') @@ -42,6 +47,7 @@ define openstacklib::db::mysql::host_access ( if $create_user { mysql_user { "${user}@${host}": password_hash => $password_hash, + tls_options => $tls_options, require => Mysql_database[$database], } } diff --git a/metadata.json b/metadata.json index 0e30f96f..df052b9c 100644 --- a/metadata.json +++ b/metadata.json @@ -57,7 +57,7 @@ }, { "name": "puppetlabs/mysql", - "version_requirement": ">=3.0.0 <4.0.0" + "version_requirement": ">=3.10.0 <4.0.0" }, { "name": "puppetlabs/stdlib", diff --git a/releasenotes/notes/Add-TLS-options-for-mysql-user-creation-172536d7f3963ce2.yaml b/releasenotes/notes/Add-TLS-options-for-mysql-user-creation-172536d7f3963ce2.yaml new file mode 100644 index 00000000..dd11777e --- /dev/null +++ b/releasenotes/notes/Add-TLS-options-for-mysql-user-creation-172536d7f3963ce2.yaml @@ -0,0 +1,6 @@ +--- +features: + - For the users that result from the usage of the mysql resource, it is now + possible to specify the TLS options. This is useful if one wants to force + the user to only connect using TLS, or if one wants to force the usage of + client certificates for this specific user. diff --git a/spec/defines/openstacklib_db_mysql_host_access_spec.rb b/spec/defines/openstacklib_db_mysql_host_access_spec.rb index 5724471d..71e39253 100644 --- a/spec/defines/openstacklib_db_mysql_host_access_spec.rb +++ b/spec/defines/openstacklib_db_mysql_host_access_spec.rb @@ -20,7 +20,8 @@ describe 'openstacklib::db::mysql::host_access' do end it { is_expected.to contain_mysql_user("#{params[:user]}@10.0.0.1").with( - :password_hash => params[:password_hash] + :password_hash => params[:password_hash], + :tls_options => ['NONE'] )} it { is_expected.to contain_mysql_grant("#{params[:user]}@10.0.0.1/#{params[:database]}.*").with( diff --git a/spec/defines/openstacklib_db_mysql_spec.rb b/spec/defines/openstacklib_db_mysql_spec.rb index 934d772d..29819f89 100644 --- a/spec/defines/openstacklib_db_mysql_spec.rb +++ b/spec/defines/openstacklib_db_mysql_spec.rb @@ -24,9 +24,10 @@ describe 'openstacklib::db::mysql' do :collate => 'utf8_general_ci' )} it { is_expected.to contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( - :user => title, - :database => title, - :privileges => 'ALL' + :user => title, + :database => title, + :privileges => 'ALL', + :tls_options => ['NONE'], )} end @@ -45,6 +46,7 @@ describe 'openstacklib::db::mysql' do :privileges => 'ALL', :create_user => true, :create_grant => true, + :tls_options => ['NONE'], )} end @@ -63,6 +65,7 @@ describe 'openstacklib::db::mysql' do :privileges => 'ALL', :create_user => true, :create_grant => true, + :tls_options => ['NONE'], )} end @@ -196,6 +199,19 @@ describe 'openstacklib::db::mysql' do it { is_expected.to_not contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1") } end + context "overriding tls_options" do + let :params do + { :tls_options => ['SSL'] }.merge(required_params) + end + + it {is_expected.to contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( + :user => title, + :password_hash => params[:password_hash], + :database => title, + :tls_options => ['SSL'], + )} + end + end on_supported_os({