openstack/puppet-openstacklib
Code Issues Proposed changes

Add tls options to mysql user creation

Browse Source 
This enables us to set several TLS requirements for the users created
by the host_access resource.

Change-Id: If550f184f85f8fdbc197fc9f930d4446de67090a
This commit is contained in:
Juan Antonio Osorio Robles 2016-10-18 12:17:33 +03:00
parent d91a4c7b36
commit 83653d442e
6 changed files with 40 additions and 5 deletions

6
manifests/db/mysql.pp

@ -46,6 +46,10 @@
# setup. Set to false to skip the user creation.
# Defaults to true.
#
# [*tls_options*]
# The TLS options that the user will have
# Defaults to ['NONE']
#
define openstacklib::db::mysql (
$password_hash,
$dbname = $title,
@ -57,6 +61,7 @@ define openstacklib::db::mysql (
$privileges = 'ALL',
$create_user = true,
$create_grant = true,
$tls_options = ['NONE'],
) {
include ::mysql::server
@ -80,6 +85,7 @@ define openstacklib::db::mysql (
privileges => $privileges,
create_user => $create_user,
create_grant => $create_grant,
tls_options => $tls_options,
}
}
}

6
manifests/db/mysql/host_access.pp

@ -27,6 +27,10 @@
# setup. Set to false to skip the user creation.
# Defaults to true.
#
# [*tls_options*]
# The TLS options that the user will have
# Defaults to ['NONE']
#
define openstacklib::db::mysql::host_access (
$user,
$password_hash,
@ -34,6 +38,7 @@ define openstacklib::db::mysql::host_access (
$privileges,
$create_user = true,
$create_grant = true,
$tls_options = ['NONE'],
) {
validate_re($title, '_', 'Title must be $dbname_$host')
@ -42,6 +47,7 @@ define openstacklib::db::mysql::host_access (
if $create_user {
mysql_user { "${user}@${host}":
password_hash => $password_hash,
tls_options => $tls_options,
require => Mysql_database[$database],
}
}

2
metadata.json

@ -57,7 +57,7 @@
},
{
"name": "puppetlabs/mysql",
"version_requirement": ">=3.0.0 <4.0.0"
"version_requirement": ">=3.10.0 <4.0.0"
},
{
"name": "puppetlabs/stdlib",

6
releasenotes/notes/Add-TLS-options-for-mysql-user-creation-172536d7f3963ce2.yaml Normal file

@ -0,0 +1,6 @@
---
features:
- For the users that result from the usage of the mysql resource, it is now
possible to specify the TLS options. This is useful if one wants to force
the user to only connect using TLS, or if one wants to force the usage of
client certificates for this specific user.

3
spec/defines/openstacklib_db_mysql_host_access_spec.rb

@ -20,7 +20,8 @@ describe 'openstacklib::db::mysql::host_access' do
end
it { is_expected.to contain_mysql_user("#{params[:user]}@10.0.0.1").with(
:password_hash => params[:password_hash]
:password_hash => params[:password_hash],
:tls_options => ['NONE']
)}
it { is_expected.to contain_mysql_grant("#{params[:user]}@10.0.0.1/#{params[:database]}.*").with(

22
spec/defines/openstacklib_db_mysql_spec.rb

@ -24,9 +24,10 @@ describe 'openstacklib::db::mysql' do
:collate => 'utf8_general_ci'
)}
it { is_expected.to contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:database => title,
:privileges => 'ALL'
:user => title,
:database => title,
:privileges => 'ALL',
:tls_options => ['NONE'],
)}
end
@ -45,6 +46,7 @@ describe 'openstacklib::db::mysql' do
:privileges => 'ALL',
:create_user => true,
:create_grant => true,
:tls_options => ['NONE'],
)}
end
@ -63,6 +65,7 @@ describe 'openstacklib::db::mysql' do
:privileges => 'ALL',
:create_user => true,
:create_grant => true,
:tls_options => ['NONE'],
)}
end
@ -196,6 +199,19 @@ describe 'openstacklib::db::mysql' do
it { is_expected.to_not contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1") }
end
context "overriding tls_options" do
let :params do
{ :tls_options => ['SSL'] }.merge(required_params)
end
it {is_expected.to contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:password_hash => params[:password_hash],
:database => title,
:tls_options => ['SSL'],
)}
end
end
on_supported_os({