openstack/puppet-openstacklib
Code Issues Proposed changes

mysql: allow specifying the authentication method

Browse Source 
MySQL users can be configured to require a specific authentication
method when connecting to the MySQL server, e.g. GSSAPI, SHA-256
or ed25519.

Expose a new attribute $plugin, that is passed to puppetlabs-mysql
When creating/updating a user in the MySQL database.

Change-Id: I1c7b40d110190eba861ed466d2644c2f1abbf7b0
Related-Bug: #1866093
This commit is contained in:
Damien Ciabrini 2020-03-06 11:03:26 +01:00 committed by Alex Schultz
parent 3b39a090b1
commit f4e9903458
4 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
manifests/db/mysql.pp
View File

@ -8,6 +8,10 @@
# Password hash to use for the database user for this service; # Password hash to use for the database user for this service;
# string; required # string; required
# #
# [*plugin*]
# Authentication plugin to use when connecting to the MySQL server;
# string; optional; default to 'undef'
#
# [*dbname*] # [*dbname*]
# The name of the database # The name of the database
# string; optional; default to the $title of the resource, i.e. 'nova' # string; optional; default to the $title of the resource, i.e. 'nova'
@ -52,6 +56,7 @@
# #
define openstacklib::db::mysql ( define openstacklib::db::mysql (
$password_hash, $password_hash,
$plugin = undef,
$dbname = $title, $dbname = $title,
$user = $title, $user = $title,
$host = '127.0.0.1', $host = '127.0.0.1',
@ -82,6 +87,7 @@ define openstacklib::db::mysql (
openstacklib::db::mysql::host_access { $real_allowed_hosts: openstacklib::db::mysql::host_access { $real_allowed_hosts:
user => $user, user => $user,
plugin => $plugin,
password_hash => $password_hash, password_hash => $password_hash,
database => $dbname, database => $dbname,
privileges => $privileges, privileges => $privileges,

6
manifests/db/mysql/host_access.pp
View File

@ -17,6 +17,10 @@
# [*privileges*] # [*privileges*]
# the privileges to grant to this user # the privileges to grant to this user
# #
# [*plugin*]
# Authentication plugin to use when connecting to the MySQL server;
# Defaults to undef
#
# [*create_user*] # [*create_user*]
# Flag to allow for the skipping of the user as part of the database setup. # Flag to allow for the skipping of the user as part of the database setup.
# Set to false to skip the user creation. # Set to false to skip the user creation.
@ -36,6 +40,7 @@ define openstacklib::db::mysql::host_access (
$password_hash, $password_hash,
$database, $database,
$privileges, $privileges,
$plugin = undef,
$create_user = true, $create_user = true,
$create_grant = true, $create_grant = true,
$tls_options = ['NONE'], $tls_options = ['NONE'],
@ -48,6 +53,7 @@ define openstacklib::db::mysql::host_access (
if $create_user { if $create_user {
mysql_user { "${user}@${host}": mysql_user { "${user}@${host}":
plugin => $plugin,
password_hash => $password_hash, password_hash => $password_hash,
tls_options => $tls_options, tls_options => $tls_options,
} }

28
spec/defines/openstacklib_db_mysql_host_access_spec.rb
View File

@ -21,6 +21,33 @@ describe 'openstacklib::db::mysql::host_access' do
end end
it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with( it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with(
:plugin => nil,
:password_hash => params[:password_hash],
:tls_options => ['NONE']
)}
it { should contain_mysql_grant("#{params[:user]}@10.0.0.1/#{params[:database]}.*").with(
:user => "#{params[:user]}@10.0.0.1",
:privileges => 'ALL',
:table => "#{params[:database]}.*"
)}
end
context 'with overriding authentication plugin' do
let (:title) { 'nova_10.0.0.1' }
let :params do
{
:user => 'foobar',
:plugin => 'mysql_native_password',
:password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601',
:database => 'nova',
:privileges => 'ALL'
}
end
it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with(
:plugin => params[:plugin],
:password_hash => params[:password_hash], :password_hash => params[:password_hash],
:tls_options => ['NONE'] :tls_options => ['NONE']
)} )}
@ -68,6 +95,7 @@ describe 'openstacklib::db::mysql::host_access' do
end end
it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with( it { should contain_mysql_user("#{params[:user]}@10.0.0.1").with(
:plugin => nil,
:password_hash => params[:password_hash] :password_hash => params[:password_hash]
)} )}

34
spec/defines/openstacklib_db_mysql_spec.rb
View File

@ -26,6 +26,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:database => title, :database => title,
:privileges => 'ALL', :privileges => 'ALL',
:tls_options => ['NONE'], :tls_options => ['NONE'],
@ -44,6 +45,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{params[:dbname]}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{params[:dbname]}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:database => params[:dbname], :database => params[:dbname],
:privileges => 'ALL', :privileges => 'ALL',
:create_user => true, :create_user => true,
@ -64,6 +66,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => params[:user], :user => params[:user],
:plugin => nil,
:database => title, :database => title,
:privileges => 'ALL', :privileges => 'ALL',
:create_user => true, :create_user => true,
@ -72,6 +75,30 @@ describe 'openstacklib::db::mysql' do
)} )}
end end
context 'with overriding authentication plugin' do
let :params do
required_params.merge!(
:plugin => 'mysql_native_password',
)
end
it { should contain_mysql_database(title).with(
:charset => 'utf8',
:collate => 'utf8_general_ci'
)}
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:plugin => params[:plugin],
:password_hash => params[:password_hash],
:database => title,
:privileges => 'ALL',
:create_user => true,
:create_grant => true,
:tls_options => ['NONE'],
)}
end
context 'when overriding charset parameter' do context 'when overriding charset parameter' do
let :params do let :params do
required_params.merge!( :charset => 'latin1' ) required_params.merge!( :charset => 'latin1' )
@ -123,12 +150,14 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:password_hash => params[:password_hash], :password_hash => params[:password_hash],
:database => title :database => title
)} )}
it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with(
:user => title, :user => title,
:plugin => nil,
:password_hash => params[:password_hash], :password_hash => params[:password_hash],
:database => title :database => title
)} )}
@ -141,6 +170,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with(
:user => title, :user => title,
:plugin => nil,
:password_hash => params[:password_hash], :password_hash => params[:password_hash],
:database => title :database => title
)} )}
@ -153,6 +183,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:password_hash => params[:password_hash], :password_hash => params[:password_hash],
:database => title :database => title
)} )}
@ -170,6 +201,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:database => title, :database => title,
:privileges => 'ALL', :privileges => 'ALL',
:create_user => false, :create_user => false,
@ -189,6 +221,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:database => title, :database => title,
:privileges => 'ALL', :privileges => 'ALL',
:create_user => true, :create_user => true,
@ -217,6 +250,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title, :user => title,
:plugin => nil,
:password_hash => params[:password_hash], :password_hash => params[:password_hash],
:database => title, :database => title,
:tls_options => ['SSL'], :tls_options => ['SSL'],