openstack/tripleo-heat-templates
Code Issues Proposed changes
fa69bfc1eb
tripleo-heat-templates/deployment/aodh/aodh-base.yaml
Damien Ciabrini f2015da4b5 Simplify mysql users creation 
Openstack users are configured with openstacklib, which in turns
drive puppet-mysql to create several DB user for each db service:
<service>@'%' <service>@<ip> and <service>@<mysql_vip>.

We create several users because we use two different parameters
host and allowed_hosts in openstacklib, which only has the effect
of creating a list of users per openstack service.

However since we always create a user '%', this wildcard host
will always allow connection to the DB, so the other users are
currently not useful as they don't get any additional grants or
restrictions.

Simplify the entire mysql user creation to only generate one
user per service, with a wildcard host.

Change-Id: I928b03f06c702a13f4bd957eaa79153aa711cee4
Closes-Bug: #1943440
Closes-Bug: #1943330
2021-09-15 12:23:30 +02:00

108 lines
3.6 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack Aodh service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
AodhPassword:
description: The password for the aodh services.
type: string
hidden: true
RedisPassword:
description: The password for the redis service account.
type: string
hidden: true
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
AodhDebug:
default: false
description: Set to True to enable debugging Aodh services.
type: boolean
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
AodhRpcResponseTimeout:
default: 60
description: Aodh's RPC response timeout, in seconds.
type: number
outputs:
role_data:
description: Role data for the Aodh role.
value:
service_name: aodh_base
config_settings:
aodh_redis_password: {get_param: RedisPassword}
aodh::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: aodh
password: {get_param: AodhPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /aodh
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: aodh
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
aodh::logging::debug:
if:
- {get_param: AodhDebug}
- true
- {get_param: Debug}
aodh::notification_driver: {get_param: NotificationDriver}
aodh::rpc_response_timeout: {get_param: AodhRpcResponseTimeout}
aodh::service_credentials::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
aodh::service_credentials::password: {get_param: AodhPassword}
aodh::service_credentials::region_name: {get_param: KeystoneRegion}
aodh::service_credentials::project_name: 'service'
aoth::service_credentials::user_domain_name: 'Default'
aoth::service_credentials::project_domain_name: 'Default'
service_config_settings:
mysql:
aodh::db::mysql::user: aodh
aodh::db::mysql::password: {get_param: AodhPassword}
aodh::db::mysql::host: '%'
aodh::db::mysql::dbname: aodh
View Git Blame Copy Permalink