Merge "Support custom privileges for managed MySQL users"

2014-11-11 05:09:14 +00:00 · 2014-11-11 05:09:14 +00:00 · 00944b8c36
parent 43b5a72503 01f291b9b8
commit 00944b8c36
2 changed files with 24 additions and 4 deletions
--- a/elements/mysql-common/README.md
+++ b/elements/mysql-common/README.md
@ -17,7 +17,8 @@ Users will be created if Heat Metadata is passed in under the
            Ref: SomeWaitConditionHandle

 This will cause mysql to create the user 'dbuser1' if it does not exist,
-and grant it all privileges on somedb. It will have a random password
+and grant it all privileges on somedb. If no 'database' parameter is supplied,
+the user will be given access to all databases. It will have a random password
 generated and passed to the WaitConditionHandle with the key of the
 username, and password as the data. A password can also be given for
 the user like this:
@ -30,3 +31,12 @@ the user like this:

 If a userhandle is also given with the password, it will be passed to
 the wait condition handle in the same manner.
+
+Privileges may be restricted for the user like so:
+
+    mysql:
+      create-users:
+        - username: dbuser2
+          database: somedb
+          password: abcdefg12345
+          privilege: "USAGE, SELECT"
--- a/elements/mysql-common/os-refresh-config/post-configure.d/50-mysql-users
+++ b/elements/mysql-common/os-refresh-config/post-configure.d/50-mysql-users
@ -78,13 +78,23 @@ to_create = should_exist - existing

 for createuser in to_create:
    dbvalue = by_user[createuser]
+
+    username = dbvalue['username']
+    database = dbvalue.get('database', None)
+    privilege = dbvalue.get('privilege', 'ALL')
+
    if 'password' in dbvalue:
        password = dbvalue['password']
    else:
        password = base64.b64encode(os.urandom(30))

-    cmd = "GRANT ALL PRIVILEGES ON `%s`.* TO `%s`@'%%' IDENTIFIED BY '%s'" % (
-        dbvalue['database'], dbvalue['username'], password)
+    if database is not None:
+        cmd = "GRANT %s ON `%s`.*" % (privilege, database)
+    else:
+        cmd = "GRANT %s ON *.*" % (privilege)
+
+    cmd += " TO `%s`@'%%' IDENTIFIED BY '%s'" % (username, password)
+
    if opts.noop:
        print("%s" % (cmd))
    else:
@ -94,7 +104,7 @@ for createuser in to_create:

    if 'userhandle' in dbvalue:
        # Inform Heat of new password for this user
-        cmd = ['/opt/aws/bin/cfn-signal', '-i', dbvalue['username'],
+        cmd = ['/opt/aws/bin/cfn-signal', '-i', username,
               '-s', 'true', '--data', password, dbvalue['userhandle']]
        if opts.noop:
            print(cmd)