openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Simplify mysql users creation 

Openstack users are configured with openstacklib, which in turns
drive puppet-mysql to create several DB user for each db service:
<service>@'%' <service>@<ip> and <service>@<mysql_vip>.

We create several users because we use two different parameters
host and allowed_hosts in openstacklib, which only has the effect
of creating a list of users per openstack service.

However since we always create a user '%', this wildcard host
will always allow connection to the DB, so the other users are
currently not useful as they don't get any additional grants or
restrictions.

Simplify the entire mysql user creation to only generate one
user per service, with a wildcard host.

Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4
Closes-Bug: #1943440
Closes-Bug: #1943330
This commit is contained in:
Damien Ciabrini 2021-09-13 13:21:51 +02:00
parent 7a6cd0640e
commit f2015da4b5
19 changed files with 19 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
deployment/aodh/aodh-base.yaml
View File

@ -103,8 +103,5 @@ outputs:
mysql:
aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword}
aodh::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
aodh::db::mysql::host: '%'
aodh::db::mysql::dbname: aodh
aodh::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/barbican/barbican-api-container-puppet.yaml
View File

@ -284,11 +284,8 @@ outputs:
- mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}
barbican::db::mysql::user: barbican
barbican::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
barbican::db::mysql::host: '%'
barbican::db::mysql::dbname: barbican
barbican::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
keystone:
tripleo::profile::base::keystone::barbican_notification_topics: ['barbican_notifications']
# BEGIN DOCKER SETTINGS

5
deployment/cinder/cinder-api-container-puppet.yaml
View File

@ -214,11 +214,8 @@ outputs:
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
cinder::db::mysql::host: '%'
cinder::db::mysql::dbname: cinder
cinder::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: cinder

5
deployment/deprecated/mistral/mistral-base.yaml
View File

@ -116,9 +116,6 @@ outputs:
service_config_settings:
mysql:
mistral::db::mysql::user: mistral
mistral::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
mistral::db::mysql::host: '%'
mistral::db::mysql::dbname: mistral
mistral::db::mysql::password: {get_param: MistralPassword}
mistral::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/deprecated/zaqar/zaqar-container-puppet.yaml
View File

@ -255,12 +255,9 @@ outputs:
- zaqar_management_store_sqlalchemy
- mysql:
zaqar::db::mysql::user: zaqar
zaqar::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
zaqar::db::mysql::host: '%'
zaqar::db::mysql::dbname: zaqar
zaqar::db::mysql::password: {get_param: ZaqarPassword}
zaqar::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
- {}
# BEGIN DOCKER SETTINGS
puppet_config:

5
deployment/designate/designate-central-container-puppet.yaml
View File

@ -137,11 +137,8 @@ outputs:
mysql:
designate::db::mysql::password: {get_param: DesignatePassword}
designate::db::mysql::user: designate
designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
designate::db::mysql::host: '%'
designate::db::mysql::dbname: designate
designate::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: designate

5
deployment/designate/designate-mdns-container-puppet.yaml
View File

@ -120,11 +120,8 @@ outputs:
mysql:
designate::db::mysql::password: {get_param: DesignatePassword}
designate::db::mysql::user: designate
designate::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
designate::db::mysql::host: '%'
designate::db::mysql::dbname: designate
designate::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: designate

5
deployment/glance/glance-api-container-puppet.yaml
View File

@ -608,11 +608,8 @@ outputs:
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
glance::db::mysql::host: '%'
glance::db::mysql::dbname: glance
glance::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
rsyslog:
tripleo_logging_sources_glance_api:
- {get_param: GlanceApiLoggingSource}

5
deployment/gnocchi/gnocchi-api-container-puppet.yaml
View File

@ -241,11 +241,8 @@ outputs:
mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi
gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
gnocchi::db::mysql::host: '%'
gnocchi::db::mysql::dbname: gnocchi
gnocchi::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: gnocchi

5
deployment/heat/heat-engine-container-puppet.yaml
View File

@ -203,11 +203,8 @@ outputs:
mysql:
heat::db::mysql::password: {get_param: HeatPassword}
heat::db::mysql::user: heat
heat::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
heat::db::mysql::host: '%'
heat::db::mysql::dbname: heat
heat::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat

5
deployment/ironic/ironic-api-container-puppet.yaml
View File

@ -228,11 +228,8 @@ outputs:
mysql:
ironic::db::mysql::password: {get_param: IronicPassword}
ironic::db::mysql::user: ironic
ironic::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
ironic::db::mysql::host: '%'
ironic::db::mysql::dbname: ironic
ironic::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic_api

5
deployment/ironic/ironic-inspector-container-puppet.yaml
View File

@ -383,11 +383,8 @@ outputs:
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector
ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
ironic::inspector::db::mysql::host: '%'
ironic::inspector::db::mysql::dbname: ironic-inspector
ironic::inspector::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic_inspector

5
deployment/keystone/keystone-container-puppet.yaml
View File

@ -625,11 +625,8 @@ outputs:
- {get_param: AdminToken}
- {get_param: KeystonePassword}
keystone::db::mysql::user: keystone
keystone::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
keystone::db::mysql::host: '%'
keystone::db::mysql::dbname: keystone
keystone::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
pacemaker:
keystone::endpoint::public_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
keystone::endpoint::internal_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}

5
deployment/manila/manila-base.yaml
View File

@ -97,8 +97,5 @@ outputs:
mysql:
manila::db::mysql::password: {get_param: ManilaPassword}
manila::db::mysql::user: manila
manila::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
manila::db::mysql::host: '%'
manila::db::mysql::dbname: manila
manila::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -424,11 +424,8 @@ outputs:
mysql:
neutron::db::mysql::password: {get_param: NeutronPassword}
neutron::db::mysql::user: neutron
neutron::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
neutron::db::mysql::host: '%'
neutron::db::mysql::dbname: ovs_neutron
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:

5
deployment/nova/nova-apidb-client-puppet.yaml
View File

@ -63,8 +63,5 @@ outputs:
mysql:
nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::host: '%'
nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/nova/nova-db-client-puppet.yaml
View File

@ -63,8 +63,5 @@ outputs:
mysql:
nova::db::mysql::password: {get_param: NovaPassword}
nova::db::mysql::user: nova
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
nova::db::mysql::host: '%'
nova::db::mysql::dbname: nova
nova::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

5
deployment/octavia/octavia-api-container-puppet.yaml
View File

@ -215,11 +215,8 @@ outputs:
mysql:
octavia::db::mysql::password: {get_param: OctaviaPassword}
octavia::db::mysql::user: {get_param: OctaviaUserName}
octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
octavia::db::mysql::host: '%'
octavia::db::mysql::dbname: octavia
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: octavia

5
deployment/placement/placement-api-container-puppet.yaml
View File

@ -197,11 +197,8 @@ outputs:
mysql:
placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement
placement::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
placement::db::mysql::host: '%'
placement::db::mysql::dbname: placement
placement::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: placement