f2015da4b5
Openstack users are configured with openstacklib, which in turns drive puppet-mysql to create several DB user for each db service: <service>@'%' <service>@<ip> and <service>@<mysql_vip>. We create several users because we use two different parameters host and allowed_hosts in openstacklib, which only has the effect of creating a list of users per openstack service. However since we always create a user '%', this wildcard host will always allow connection to the DB, so the other users are currently not useful as they don't get any additional grants or restrictions. Simplify the entire mysql user creation to only generate one user per service, with a wildcard host. Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4 Closes-Bug: #1943440 Closes-Bug: #1943330
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack Nova database client service.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
EnableSQLAlchemyCollectd:
|
|
type: boolean
|
|
description: >
|
|
Set to true to enable the SQLAlchemy-collectd server plugin
|
|
default: false
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova base service.
|
|
value:
|
|
config_settings:
|
|
nova::db::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
|
|
username: nova
|
|
password: {get_param: NovaPassword}
|
|
host: {get_param: [EndpointMap, MysqlCellInternal, host]}
|
|
path: /nova
|
|
query:
|
|
if:
|
|
- {get_param: EnableSQLAlchemyCollectd}
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
plugin: collectd
|
|
collectd_program_name: nova
|
|
collectd_host: localhost
|
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
service_config_settings:
|
|
mysql:
|
|
nova::db::mysql::password: {get_param: NovaPassword}
|
|
nova::db::mysql::user: nova
|
|
nova::db::mysql::host: '%'
|
|
nova::db::mysql::dbname: nova
|