openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Simplify mysql users creation 

Openstack users are configured with openstacklib, which in turns
drive puppet-mysql to create several DB user for each db service:
<service>@'%' <service>@<ip> and <service>@<mysql_vip>.

We create several users because we use two different parameters
host and allowed_hosts in openstacklib, which only has the effect
of creating a list of users per openstack service.

However since we always create a user '%', this wildcard host
will always allow connection to the DB, so the other users are
currently not useful as they don't get any additional grants or
restrictions.

Simplify the entire mysql user creation to only generate one
user per service, with a wildcard host.

Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4
Closes-Bug: #1943440
Closes-Bug: #1943330
This commit is contained in:
Damien Ciabrini 2021-09-13 13:21:51 +02:00
parent 7a6cd0640e
commit f2015da4b5
19 changed files with 19 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
deployment/aodh/aodh-base.yaml
View File

@ -103,8 +103,5 @@ outputs:
mysql: mysql:
aodh::db::mysql::user: aodh aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword} aodh::db::mysql::password: {get_param: AodhPassword}
aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} aodh::db::mysql::host: '%'
aodh::db::mysql::dbname: aodh aodh::db::mysql::dbname: aodh
aodh::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/barbican/barbican-api-container-puppet.yaml
View File

@ -284,11 +284,8 @@ outputs:
- mysql: - mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword} barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} barbican::db::mysql::host: '%'
barbican::db::mysql::dbname: barbican barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone: keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications'] tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS

5
deployment/cinder/cinder-api-container-puppet.yaml
View File

@ -214,11 +214,8 @@ outputs:
mysql: mysql:
cinder::db::mysql::password: {get_param: CinderPassword} cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder cinder::db::mysql::user: cinder
cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} cinder::db::mysql::host: '%'
cinder::db::mysql::dbname: cinder cinder::db::mysql::dbname: cinder
cinder::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: cinder config_volume: cinder

5
deployment/deprecated/mistral/mistral-base.yaml
View File

@ -116,9 +116,6 @@ outputs:
service_config_settings: service_config_settings:
mysql: mysql:
mistral::db::mysql::user: mistral mistral::db::mysql::user: mistral
mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} mistral::db::mysql::host: '%'
mistral::db::mysql::dbname: mistral mistral::db::mysql::dbname: mistral
mistral::db::mysql::password: {get_param: MistralPassword} mistral::db::mysql::password: {get_param: MistralPassword}
mistral::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/deprecated/zaqar/zaqar-container-puppet.yaml
View File

@ -255,12 +255,9 @@ outputs:
- zaqar_management_store_sqlalchemy - zaqar_management_store_sqlalchemy
- mysql: - mysql:
zaqar::db::mysql::user: zaqar zaqar::db::mysql::user: zaqar
zaqar::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} zaqar::db::mysql::host: '%'
zaqar::db::mysql::dbname: zaqar zaqar::db::mysql::dbname: zaqar
zaqar::db::mysql::password: {get_param: ZaqarPassword} zaqar::db::mysql::password: {get_param: ZaqarPassword}
zaqar::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
- {} - {}
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:

5
deployment/designate/designate-central-container-puppet.yaml
View File

@ -137,11 +137,8 @@ outputs:
mysql: mysql:
designate::db::mysql::password: {get_param: DesignatePassword} designate::db::mysql::password: {get_param: DesignatePassword}
designate::db::mysql::user: designate designate::db::mysql::user: designate
designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} designate::db::mysql::host: '%'
designate::db::mysql::dbname: designate designate::db::mysql::dbname: designate
designate::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: designate config_volume: designate

5
deployment/designate/designate-mdns-container-puppet.yaml
View File

@ -120,11 +120,8 @@ outputs:
mysql: mysql:
designate::db::mysql::password: {get_param: DesignatePassword} designate::db::mysql::password: {get_param: DesignatePassword}
designate::db::mysql::user: designate designate::db::mysql::user: designate
designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} designate::db::mysql::host: '%'
designate::db::mysql::dbname: designate designate::db::mysql::dbname: designate
designate::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: designate config_volume: designate

5
deployment/glance/glance-api-container-puppet.yaml
View File

@ -608,11 +608,8 @@ outputs:
mysql: mysql:
glance::db::mysql::password: {get_param: GlancePassword} glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance glance::db::mysql::user: glance
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} glance::db::mysql::host: '%'
glance::db::mysql::dbname: glance glance::db::mysql::dbname: glance
glance::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
rsyslog: rsyslog:
tripleo_logging_sources_glance_api: tripleo_logging_sources_glance_api:
- {get_param: GlanceApiLoggingSource} - {get_param: GlanceApiLoggingSource}

5
deployment/gnocchi/gnocchi-api-container-puppet.yaml
View File

@ -241,11 +241,8 @@ outputs:
mysql: mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi gnocchi::db::mysql::user: gnocchi
gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} gnocchi::db::mysql::host: '%'
gnocchi::db::mysql::dbname: gnocchi gnocchi::db::mysql::dbname: gnocchi
gnocchi::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: gnocchi config_volume: gnocchi

5
deployment/heat/heat-engine-container-puppet.yaml
View File

@ -203,11 +203,8 @@ outputs:
mysql: mysql:
heat::db::mysql::password: {get_param: HeatPassword} heat::db::mysql::password: {get_param: HeatPassword}
heat::db::mysql::user: heat heat::db::mysql::user: heat
heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} heat::db::mysql::host: '%'
heat::db::mysql::dbname: heat heat::db::mysql::dbname: heat
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: heat config_volume: heat

5
deployment/ironic/ironic-api-container-puppet.yaml
View File

@ -228,11 +228,8 @@ outputs:
mysql: mysql:
ironic::db::mysql::password: {get_param: IronicPassword} ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic ironic::db::mysql::user: ironic
ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} ironic::db::mysql::host: '%'
ironic::db::mysql::dbname: ironic ironic::db::mysql::dbname: ironic
ironic::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: ironic_api config_volume: ironic_api

5
deployment/ironic/ironic-inspector-container-puppet.yaml
View File

@ -383,11 +383,8 @@ outputs:
mysql: mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword} ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector ironic::inspector::db::mysql::user: ironic-inspector
ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} ironic::inspector::db::mysql::host: '%'
ironic::inspector::db::mysql::dbname: ironic-inspector ironic::inspector::db::mysql::dbname: ironic-inspector
ironic::inspector::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: ironic_inspector config_volume: ironic_inspector

5
deployment/keystone/keystone-container-puppet.yaml
View File

@ -625,11 +625,8 @@ outputs:
- {get_param: AdminToken} - {get_param: AdminToken}
- {get_param: KeystonePassword} - {get_param: KeystonePassword}
keystone::db::mysql::user: keystone keystone::db::mysql::user: keystone
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} keystone::db::mysql::host: '%'
keystone::db::mysql::dbname: keystone keystone::db::mysql::dbname: keystone
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
pacemaker: pacemaker:
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}

5
deployment/manila/manila-base.yaml
View File

@ -97,8 +97,5 @@ outputs:
mysql: mysql:
manila::db::mysql::password: {get_param: ManilaPassword} manila::db::mysql::password: {get_param: ManilaPassword}
manila::db::mysql::user: manila manila::db::mysql::user: manila
manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} manila::db::mysql::host: '%'
manila::db::mysql::dbname: manila manila::db::mysql::dbname: manila
manila::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -424,11 +424,8 @@ outputs:
mysql: mysql:
neutron::db::mysql::password: {get_param: NeutronPassword} neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron neutron::db::mysql::user: neutron
neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} neutron::db::mysql::host: '%'
neutron::db::mysql::dbname: ovs_neutron neutron::db::mysql::dbname: ovs_neutron
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:

5
deployment/nova/nova-apidb-client-puppet.yaml
View File

@ -63,8 +63,5 @@ outputs:
mysql: mysql:
nova::db::mysql_api::password: {get_param: NovaPassword} nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} nova::db::mysql_api::host: '%'
nova::db::mysql_api::dbname: nova_api nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/nova/nova-db-client-puppet.yaml
View File

@ -63,8 +63,5 @@ outputs:
mysql: mysql:
nova::db::mysql::password: {get_param: NovaPassword} nova::db::mysql::password: {get_param: NovaPassword}
nova::db::mysql::user: nova nova::db::mysql::user: nova
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]} nova::db::mysql::host: '%'
nova::db::mysql::dbname: nova nova::db::mysql::dbname: nova
nova::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/octavia/octavia-api-container-puppet.yaml
View File

@ -215,11 +215,8 @@ outputs:
mysql: mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword} octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName} octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} octavia::db::mysql::host: '%'
octavia::db::mysql::dbname: octavia octavia::db::mysql::dbname: octavia
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # # BEGIN DOCKER SETTINGS #
puppet_config: puppet_config:
config_volume: octavia config_volume: octavia

5
deployment/placement/placement-api-container-puppet.yaml
View File

@ -197,11 +197,8 @@ outputs:
mysql: mysql:
placement::db::mysql::password: {get_param: PlacementPassword} placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement placement::db::mysql::user: placement
placement::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} placement::db::mysql::host: '%'
placement::db::mysql::dbname: placement placement::db::mysql::dbname: placement
placement::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: placement config_volume: placement