From f4e99034588022de4185a3b2ce144ac75c2d4e80 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Fri, 6 Mar 2020 11:03:26 +0100 Subject: [PATCH] mysql: allow specifying the authentication method MySQL users can be configured to require a specific authentication method when connecting to the MySQL server, e.g. GSSAPI, SHA-256 or ed25519. Expose a new attribute $plugin, that is passed to puppetlabs-mysql When creating/updating a user in the MySQL database. Change-Id: I1c7b40d110190eba861ed466d2644c2f1abbf7b0 Related-Bug: #1866093 --- manifests/db/mysql.pp | 6 ++++ manifests/db/mysql/host_access.pp | 6 ++++ .../openstacklib_db_mysql_host_access_spec.rb | 28 +++++++++++++++ spec/defines/openstacklib_db_mysql_spec.rb | 34 +++++++++++++++++++ 4 files changed, 74 insertions(+) diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index 5d0956cc..184eb8ee 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -8,6 +8,10 @@ # Password hash to use for the database user for this service; # string; required # +# [*plugin*] +# Authentication plugin to use when connecting to the MySQL server; +# string; optional; default to 'undef' +# # [*dbname*] # The name of the database # string; optional; default to the $title of the resource, i.e. 'nova' @@ -52,6 +56,7 @@ # define openstacklib::db::mysql ( $password_hash, + $plugin = undef, $dbname = $title, $user = $title, $host = '127.0.0.1', @@ -82,6 +87,7 @@ define openstacklib::db::mysql ( openstacklib::db::mysql::host_access { $real_allowed_hosts: user => $user, + plugin => $plugin, password_hash => $password_hash, database => $dbname, privileges => $privileges, diff --git a/manifests/db/mysql/host_access.pp b/manifests/db/mysql/host_access.pp index af3b63ea..baaff5fc 100644 --- a/manifests/db/mysql/host_access.pp +++ b/manifests/db/mysql/host_access.pp @@ -17,6 +17,10 @@ # [*privileges*] # the privileges to grant to this user # +# [*plugin*] +# Authentication plugin to use when connecting to the MySQL server; +# Defaults to undef +# # [*create_user*] # Flag to allow for the skipping of the user as part of the database setup. # Set to false to skip the user creation. @@ -36,6 +40,7 @@ define openstacklib::db::mysql::host_access ( $password_hash, $database, $privileges, + $plugin = undef, $create_user = true, $create_grant = true, $tls_options = ['NONE'], @@ -48,6 +53,7 @@ define openstacklib::db::mysql::host_access ( if $create_user { mysql_user { "${user}@${host}": + plugin => $plugin, password_hash => $password_hash, tls_options => $tls_options, } diff --git a/spec/defines/openstacklib_db_mysql_host_access_spec.rb b/spec/defines/openstacklib_db_mysql_host_access_spec.rb index e568ca25..ef47537e 100644 --- a/spec/defines/openstacklib_db_mysql_host_access_spec.rb +++ b/spec/defines/openstacklib_db_mysql_host_access_spec.rb @@ -21,6 +21,33 @@ describe 'openstacklib::db::mysql::host_access' do end it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with( + :plugin => nil, + :password_hash => params[:password_hash], + :tls_options => ['NONE'] + )} + + it { should contain_mysql_grant("#{params[:user]}@10.0.0.1/#{params[:database]}.*").with( + :user => "#{params[:user]}@10.0.0.1", + :privileges => 'ALL', + :table => "#{params[:database]}.*" + )} + end + + context 'with overriding authentication plugin' do + let (:title) { 'nova_10.0.0.1' } + + let :params do + { + :user => 'foobar', + :plugin => 'mysql_native_password', + :password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601', + :database => 'nova', + :privileges => 'ALL' + } + end + + it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with( + :plugin => params[:plugin], :password_hash => params[:password_hash], :tls_options => ['NONE'] )} @@ -68,6 +95,7 @@ describe 'openstacklib::db::mysql::host_access' do end it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with( + :plugin => nil, :password_hash => params[:password_hash] )} diff --git a/spec/defines/openstacklib_db_mysql_spec.rb b/spec/defines/openstacklib_db_mysql_spec.rb index 9ada7283..5be62420 100644 --- a/spec/defines/openstacklib_db_mysql_spec.rb +++ b/spec/defines/openstacklib_db_mysql_spec.rb @@ -26,6 +26,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, + :plugin => nil, :database => title, :privileges => 'ALL', :tls_options => ['NONE'], @@ -44,6 +45,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{params[:dbname]}_127.0.0.1").with( :user => title, + :plugin => nil, :database => params[:dbname], :privileges => 'ALL', :create_user => true, @@ -64,6 +66,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => params[:user], + :plugin => nil, :database => title, :privileges => 'ALL', :create_user => true, @@ -72,6 +75,30 @@ describe 'openstacklib::db::mysql' do )} end + context 'with overriding authentication plugin' do + let :params do + required_params.merge!( + :plugin => 'mysql_native_password', + ) + end + + it { should contain_mysql_database(title).with( + :charset => 'utf8', + :collate => 'utf8_general_ci' + )} + + it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( + :user => title, + :plugin => params[:plugin], + :password_hash => params[:password_hash], + :database => title, + :privileges => 'ALL', + :create_user => true, + :create_grant => true, + :tls_options => ['NONE'], + )} + end + context 'when overriding charset parameter' do let :params do required_params.merge!( :charset => 'latin1' ) @@ -123,12 +150,14 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, + :plugin => nil, :password_hash => params[:password_hash], :database => title )} it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with( :user => title, + :plugin => nil, :password_hash => params[:password_hash], :database => title )} @@ -141,6 +170,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with( :user => title, + :plugin => nil, :password_hash => params[:password_hash], :database => title )} @@ -153,6 +183,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, + :plugin => nil, :password_hash => params[:password_hash], :database => title )} @@ -170,6 +201,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, + :plugin => nil, :database => title, :privileges => 'ALL', :create_user => false, @@ -189,6 +221,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, + :plugin => nil, :database => title, :privileges => 'ALL', :create_user => true, @@ -217,6 +250,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, + :plugin => nil, :password_hash => params[:password_hash], :database => title, :tls_options => ['SSL'],