From c4b9f958358717802a4d9ddaf6eb89fe86ff7173 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Mon, 13 Sep 2021 13:21:51 +0200 Subject: [PATCH] Simplify mysql users creation Openstack users are configured with openstacklib, which in turns drive puppet-mysql to create several DB user for each db service: @'%' @ and @. We create several users because we use two different parameters host and allowed_hosts in openstacklib, which only has the effect of creating a list of users per openstack service. However since we always create a user '%', this wildcard host will always allow connection to the DB, so the other users are currently not useful as they don't get any additional grants or restrictions. Simplify the entire mysql user creation to only generate one user per service, with a wildcard host. Slight context conflicts in: deployment/neutron/neutron-api-container-puppet.yaml Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4 Closes-Bug: #1943440 Closes-Bug: #1943330 (cherry picked from commit f2015da4b50345359a9a14e403361ce7b0c7fcb1) --- deployment/aodh/aodh-base.yaml | 5 +---- deployment/barbican/barbican-api-container-puppet.yaml | 5 +---- deployment/cinder/cinder-api-container-puppet.yaml | 5 +---- deployment/deprecated/mistral/mistral-base.yaml | 5 +---- deployment/deprecated/zaqar/zaqar-container-puppet.yaml | 5 +---- deployment/designate/designate-central-container-puppet.yaml | 5 +---- deployment/designate/designate-mdns-container-puppet.yaml | 5 +---- deployment/glance/glance-api-container-puppet.yaml | 5 +---- deployment/gnocchi/gnocchi-api-container-puppet.yaml | 5 +---- deployment/heat/heat-engine-container-puppet.yaml | 5 +---- deployment/ironic/ironic-api-container-puppet.yaml | 5 +---- deployment/ironic/ironic-inspector-container-puppet.yaml | 5 +---- deployment/keystone/keystone-container-puppet.yaml | 5 +---- deployment/manila/manila-base.yaml | 5 +---- deployment/neutron/neutron-api-container-puppet.yaml | 5 +---- deployment/nova/nova-apidb-client-puppet.yaml | 5 +---- deployment/nova/nova-db-client-puppet.yaml | 5 +---- deployment/octavia/octavia-api-container-puppet.yaml | 5 +---- deployment/placement/placement-api-container-puppet.yaml | 5 +---- 19 files changed, 19 insertions(+), 76 deletions(-) diff --git a/deployment/aodh/aodh-base.yaml b/deployment/aodh/aodh-base.yaml index 01996bcfad..f17f5e1a0f 100644 --- a/deployment/aodh/aodh-base.yaml +++ b/deployment/aodh/aodh-base.yaml @@ -96,8 +96,5 @@ outputs: mysql: aodh::db::mysql::user: aodh aodh::db::mysql::password: {get_param: AodhPassword} - aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + aodh::db::mysql::host: '%' aodh::db::mysql::dbname: aodh - aodh::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 0ebf1bc0b6..6f3cd35f26 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -303,11 +303,8 @@ outputs: - mysql: barbican::db::mysql::password: {get_param: BarbicanPassword} barbican::db::mysql::user: barbican - barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + barbican::db::mysql::host: '%' barbican::db::mysql::dbname: barbican - barbican::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" keystone: tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications'] # BEGIN DOCKER SETTINGS diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index fe53a08b66..46511d7e88 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -214,11 +214,8 @@ outputs: mysql: cinder::db::mysql::password: {get_param: CinderPassword} cinder::db::mysql::user: cinder - cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + cinder::db::mysql::host: '%' cinder::db::mysql::dbname: cinder - cinder::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: cinder diff --git a/deployment/deprecated/mistral/mistral-base.yaml b/deployment/deprecated/mistral/mistral-base.yaml index 892680efd6..2c3f85f74d 100644 --- a/deployment/deprecated/mistral/mistral-base.yaml +++ b/deployment/deprecated/mistral/mistral-base.yaml @@ -116,9 +116,6 @@ outputs: service_config_settings: mysql: mistral::db::mysql::user: mistral - mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + mistral::db::mysql::host: '%' mistral::db::mysql::dbname: mistral mistral::db::mysql::password: {get_param: MistralPassword} - mistral::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/deployment/deprecated/zaqar/zaqar-container-puppet.yaml b/deployment/deprecated/zaqar/zaqar-container-puppet.yaml index d45b639408..6e15d6e1b3 100644 --- a/deployment/deprecated/zaqar/zaqar-container-puppet.yaml +++ b/deployment/deprecated/zaqar/zaqar-container-puppet.yaml @@ -255,12 +255,9 @@ outputs: - zaqar_management_store_sqlalchemy - mysql: zaqar::db::mysql::user: zaqar - zaqar::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + zaqar::db::mysql::host: '%' zaqar::db::mysql::dbname: zaqar zaqar::db::mysql::password: {get_param: ZaqarPassword} - zaqar::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" - {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/designate/designate-central-container-puppet.yaml b/deployment/designate/designate-central-container-puppet.yaml index 517f230a7c..fe4c9e2240 100644 --- a/deployment/designate/designate-central-container-puppet.yaml +++ b/deployment/designate/designate-central-container-puppet.yaml @@ -115,11 +115,8 @@ outputs: mysql: designate::db::mysql::password: {get_param: DesignatePassword} designate::db::mysql::user: designate - designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + designate::db::mysql::host: '%' designate::db::mysql::dbname: designate - designate::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: designate diff --git a/deployment/designate/designate-mdns-container-puppet.yaml b/deployment/designate/designate-mdns-container-puppet.yaml index a166e34d17..48ea25d698 100644 --- a/deployment/designate/designate-mdns-container-puppet.yaml +++ b/deployment/designate/designate-mdns-container-puppet.yaml @@ -120,11 +120,8 @@ outputs: mysql: designate::db::mysql::password: {get_param: DesignatePassword} designate::db::mysql::user: designate - designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + designate::db::mysql::host: '%' designate::db::mysql::dbname: designate - designate::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: designate diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index dafbfcbd87..aa7cd1dba3 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -605,11 +605,8 @@ outputs: mysql: glance::db::mysql::password: {get_param: GlancePassword} glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::host: '%' glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" rsyslog: tripleo_logging_sources_glance_api: - {get_param: GlanceApiLoggingSource} diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 00c874bffa..ce23b8ccbd 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -241,11 +241,8 @@ outputs: mysql: gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::mysql::user: gnocchi - gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + gnocchi::db::mysql::host: '%' gnocchi::db::mysql::dbname: gnocchi - gnocchi::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: gnocchi diff --git a/deployment/heat/heat-engine-container-puppet.yaml b/deployment/heat/heat-engine-container-puppet.yaml index 3dd012f65e..098e6d4bef 100644 --- a/deployment/heat/heat-engine-container-puppet.yaml +++ b/deployment/heat/heat-engine-container-puppet.yaml @@ -203,11 +203,8 @@ outputs: mysql: heat::db::mysql::password: {get_param: HeatPassword} heat::db::mysql::user: heat - heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + heat::db::mysql::host: '%' heat::db::mysql::dbname: heat - heat::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: heat diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index 4ffc486b27..57cd724399 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -183,11 +183,8 @@ outputs: mysql: ironic::db::mysql::password: {get_param: IronicPassword} ironic::db::mysql::user: ironic - ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::db::mysql::host: '%' ironic::db::mysql::dbname: ironic - ironic::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: ironic_api diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index cf31a4650b..7e604f1760 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -359,11 +359,8 @@ outputs: mysql: ironic::inspector::db::mysql::password: {get_param: IronicPassword} ironic::inspector::db::mysql::user: ironic-inspector - ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ironic::inspector::db::mysql::host: '%' ironic::inspector::db::mysql::dbname: ironic-inspector - ironic::inspector::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: ironic_inspector diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index b6370eaf76..157c390865 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -600,11 +600,8 @@ outputs: mysql: keystone::db::mysql::password: {get_param: AdminToken} keystone::db::mysql::user: keystone - keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + keystone::db::mysql::host: '%' keystone::db::mysql::dbname: keystone - keystone::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" pacemaker: keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} diff --git a/deployment/manila/manila-base.yaml b/deployment/manila/manila-base.yaml index 0da86d3844..b1bf319634 100644 --- a/deployment/manila/manila-base.yaml +++ b/deployment/manila/manila-base.yaml @@ -92,8 +92,5 @@ outputs: mysql: manila::db::mysql::password: {get_param: ManilaPassword} manila::db::mysql::user: manila - manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + manila::db::mysql::host: '%' manila::db::mysql::dbname: manila - manila::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index c8c5df2637..6091e00061 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -405,11 +405,8 @@ outputs: mysql: neutron::db::mysql::password: {get_param: NeutronPassword} neutron::db::mysql::user: neutron - neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + neutron::db::mysql::host: '%' neutron::db::mysql::dbname: ovs_neutron - neutron::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: neutron diff --git a/deployment/nova/nova-apidb-client-puppet.yaml b/deployment/nova/nova-apidb-client-puppet.yaml index 56a9a1a5d7..bcb5bd876d 100644 --- a/deployment/nova/nova-apidb-client-puppet.yaml +++ b/deployment/nova/nova-apidb-client-puppet.yaml @@ -63,8 +63,5 @@ outputs: mysql: nova::db::mysql_api::password: {get_param: NovaPassword} nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::host: '%' nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/deployment/nova/nova-db-client-puppet.yaml b/deployment/nova/nova-db-client-puppet.yaml index 6c4ffdece0..8c726a06d1 100644 --- a/deployment/nova/nova-db-client-puppet.yaml +++ b/deployment/nova/nova-db-client-puppet.yaml @@ -63,8 +63,5 @@ outputs: mysql: nova::db::mysql::password: {get_param: NovaPassword} nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]} + nova::db::mysql::host: '%' nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index 1be82211dd..9eb7023ad0 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -223,11 +223,8 @@ outputs: mysql: octavia::db::mysql::password: {get_param: OctaviaPassword} octavia::db::mysql::user: {get_param: OctaviaUserName} - octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + octavia::db::mysql::host: '%' octavia::db::mysql::dbname: octavia - octavia::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS # puppet_config: config_volume: octavia diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index a3b2c5b556..1aa7363614 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -195,11 +195,8 @@ outputs: mysql: placement::db::mysql::password: {get_param: PlacementPassword} placement::db::mysql::user: placement - placement::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + placement::db::mysql::host: '%' placement::db::mysql::dbname: placement - placement::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: placement