Browse Source

Simplify mysql users creation

Openstack users are configured with openstacklib, which in turns
drive puppet-mysql to create several DB user for each db service:
<service>@'%' <service>@<ip> and <service>@<mysql_vip>.

We create several users because we use two different parameters
host and allowed_hosts in openstacklib, which only has the effect
of creating a list of users per openstack service.

However since we always create a user '%', this wildcard host
will always allow connection to the DB, so the other users are
currently not useful as they don't get any additional grants or
restrictions.

Simplify the entire mysql user creation to only generate one
user per service, with a wildcard host.

Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4
Closes-Bug: #1943440
Closes-Bug: #1943330
changes/45/808745/6
Damien Ciabrini 4 months ago
parent
commit
f2015da4b5
  1. 5
      deployment/aodh/aodh-base.yaml
  2. 5
      deployment/barbican/barbican-api-container-puppet.yaml
  3. 5
      deployment/cinder/cinder-api-container-puppet.yaml
  4. 5
      deployment/deprecated/mistral/mistral-base.yaml
  5. 5
      deployment/deprecated/zaqar/zaqar-container-puppet.yaml
  6. 5
      deployment/designate/designate-central-container-puppet.yaml
  7. 5
      deployment/designate/designate-mdns-container-puppet.yaml
  8. 5
      deployment/glance/glance-api-container-puppet.yaml
  9. 5
      deployment/gnocchi/gnocchi-api-container-puppet.yaml
  10. 5
      deployment/heat/heat-engine-container-puppet.yaml
  11. 5
      deployment/ironic/ironic-api-container-puppet.yaml
  12. 5
      deployment/ironic/ironic-inspector-container-puppet.yaml
  13. 5
      deployment/keystone/keystone-container-puppet.yaml
  14. 5
      deployment/manila/manila-base.yaml
  15. 5
      deployment/neutron/neutron-api-container-puppet.yaml
  16. 5
      deployment/nova/nova-apidb-client-puppet.yaml
  17. 5
      deployment/nova/nova-db-client-puppet.yaml
  18. 5
      deployment/octavia/octavia-api-container-puppet.yaml
  19. 5
      deployment/placement/placement-api-container-puppet.yaml

5
deployment/aodh/aodh-base.yaml

@ -103,8 +103,5 @@ outputs:
mysql:
aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword}
aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
aodh::db::mysql::host: '%'
aodh::db::mysql::dbname: aodh
aodh::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/barbican/barbican-api-container-puppet.yaml

@ -284,11 +284,8 @@ outputs:
- mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::host: '%'
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS

5
deployment/cinder/cinder-api-container-puppet.yaml

@ -214,11 +214,8 @@ outputs:
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
cinder::db::mysql::host: '%'
cinder::db::mysql::dbname: cinder
cinder::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: cinder

5
deployment/deprecated/mistral/mistral-base.yaml

@ -116,9 +116,6 @@ outputs:
service_config_settings:
mysql:
mistral::db::mysql::user: mistral
mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
mistral::db::mysql::host: '%'
mistral::db::mysql::dbname: mistral
mistral::db::mysql::password: {get_param: MistralPassword}
mistral::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/deprecated/zaqar/zaqar-container-puppet.yaml

@ -255,12 +255,9 @@ outputs:
- zaqar_management_store_sqlalchemy
- mysql:
zaqar::db::mysql::user: zaqar
zaqar::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
zaqar::db::mysql::host: '%'
zaqar::db::mysql::dbname: zaqar
zaqar::db::mysql::password: {get_param: ZaqarPassword}
zaqar::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
- {}
# BEGIN DOCKER SETTINGS
puppet_config:

5
deployment/designate/designate-central-container-puppet.yaml

@ -137,11 +137,8 @@ outputs:
mysql:
designate::db::mysql::password: {get_param: DesignatePassword}
designate::db::mysql::user: designate
designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
designate::db::mysql::host: '%'
designate::db::mysql::dbname: designate
designate::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: designate

5
deployment/designate/designate-mdns-container-puppet.yaml

@ -120,11 +120,8 @@ outputs:
mysql:
designate::db::mysql::password: {get_param: DesignatePassword}
designate::db::mysql::user: designate
designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
designate::db::mysql::host: '%'
designate::db::mysql::dbname: designate
designate::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: designate

5
deployment/glance/glance-api-container-puppet.yaml

@ -608,11 +608,8 @@ outputs:
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
glance::db::mysql::host: '%'
glance::db::mysql::dbname: glance
glance::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
rsyslog:
tripleo_logging_sources_glance_api:
- {get_param: GlanceApiLoggingSource}

5
deployment/gnocchi/gnocchi-api-container-puppet.yaml

@ -241,11 +241,8 @@ outputs:
mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi
gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
gnocchi::db::mysql::host: '%'
gnocchi::db::mysql::dbname: gnocchi
gnocchi::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: gnocchi

5
deployment/heat/heat-engine-container-puppet.yaml

@ -203,11 +203,8 @@ outputs:
mysql:
heat::db::mysql::password: {get_param: HeatPassword}
heat::db::mysql::user: heat
heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
heat::db::mysql::host: '%'
heat::db::mysql::dbname: heat
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat

5
deployment/ironic/ironic-api-container-puppet.yaml

@ -228,11 +228,8 @@ outputs:
mysql:
ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic
ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
ironic::db::mysql::host: '%'
ironic::db::mysql::dbname: ironic
ironic::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic_api

5
deployment/ironic/ironic-inspector-container-puppet.yaml

@ -383,11 +383,8 @@ outputs:
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector
ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
ironic::inspector::db::mysql::host: '%'
ironic::inspector::db::mysql::dbname: ironic-inspector
ironic::inspector::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic_inspector

5
deployment/keystone/keystone-container-puppet.yaml

@ -625,11 +625,8 @@ outputs:
- {get_param: AdminToken}
- {get_param: KeystonePassword}
keystone::db::mysql::user: keystone
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
keystone::db::mysql::host: '%'
keystone::db::mysql::dbname: keystone
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
pacemaker:
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}

5
deployment/manila/manila-base.yaml

@ -97,8 +97,5 @@ outputs:
mysql:
manila::db::mysql::password: {get_param: ManilaPassword}
manila::db::mysql::user: manila
manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
manila::db::mysql::host: '%'
manila::db::mysql::dbname: manila
manila::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/neutron/neutron-api-container-puppet.yaml

@ -424,11 +424,8 @@ outputs:
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron
neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
neutron::db::mysql::host: '%'
neutron::db::mysql::dbname: ovs_neutron
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:

5
deployment/nova/nova-apidb-client-puppet.yaml

@ -63,8 +63,5 @@ outputs:
mysql:
nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::host: '%'
nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/nova/nova-db-client-puppet.yaml

@ -63,8 +63,5 @@ outputs:
mysql:
nova::db::mysql::password: {get_param: NovaPassword}
nova::db::mysql::user: nova
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
nova::db::mysql::host: '%'
nova::db::mysql::dbname: nova
nova::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/octavia/octavia-api-container-puppet.yaml

@ -215,11 +215,8 @@ outputs:
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
octavia::db::mysql::host: '%'
octavia::db::mysql::dbname: octavia
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: octavia

5
deployment/placement/placement-api-container-puppet.yaml

@ -197,11 +197,8 @@ outputs:
mysql:
placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement
placement::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
placement::db::mysql::host: '%'
placement::db::mysql::dbname: placement
placement::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: placement

Loading…
Cancel
Save