From a075c14b614e0ddc5cdca6832220858fa2905cd8 Mon Sep 17 00:00:00 2001 From: Joseph Davis Date: Fri, 8 Aug 2014 15:05:36 -0700 Subject: [PATCH] Secure MySQL clustering with SSL Accept values through Heat for the contents of an X509 certificate and key to be used in Galera clustering and write the values into files. Set the file owner and permissions to only allow mysql access to the certificate/key pair. Configure Galera clustering to bind to the server ip:4567 and use the provided certificate/key pair. This is dependent on the associated change in tripleo-heat-templates to provide the certificate values. If values are missing, the clustering will not be secured. Turning on/off secure clustering cannot be done without restarting every node cluster. Change-Id: I2f3406cd09a2a513347593dfcfd3121d3de096c9 --- .../os-apply-config/etc/ssl/mysql/from-heat.crt | 1 + .../os-apply-config/etc/ssl/mysql/from-heat.key | 1 + .../mnt/state/etc/mysql/conf.d/cluster.cnf | 5 +++++ .../post-configure.d/10-mysql-permissions | 10 ++++++++++ 4 files changed, 17 insertions(+) create mode 100644 elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.crt create mode 100644 elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.key diff --git a/elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.crt b/elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.crt new file mode 100644 index 000000000..6b120b16a --- /dev/null +++ b/elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.crt @@ -0,0 +1 @@ +{{mysql.cluster_certificate}} diff --git a/elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.key b/elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.key new file mode 100644 index 000000000..ac75a782c --- /dev/null +++ b/elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.key @@ -0,0 +1 @@ +{{mysql.cluster_key}} diff --git a/elements/mysql-common/os-apply-config/mnt/state/etc/mysql/conf.d/cluster.cnf b/elements/mysql-common/os-apply-config/mnt/state/etc/mysql/conf.d/cluster.cnf index 3681e9d80..75b6550a5 100644 --- a/elements/mysql-common/os-apply-config/mnt/state/etc/mysql/conf.d/cluster.cnf +++ b/elements/mysql-common/os-apply-config/mnt/state/etc/mysql/conf.d/cluster.cnf @@ -14,3 +14,8 @@ wsrep_sst_method=rsync # Cluster name wsrep_cluster_name=tripleo-{{mysql.cluster_name}} + +{{#mysql.cluster_key}} +# Security options +wsrep_provider_options="gmcast.listen_addr=tcp://{{local-ipv4}}:4567; socket.ssl_cert=/etc/ssl/mysql/from-heat.crt; socket.ssl_key=/etc/ssl/mysql/from-heat.key" +{{/mysql.cluster_key}} diff --git a/elements/mysql-common/os-refresh-config/post-configure.d/10-mysql-permissions b/elements/mysql-common/os-refresh-config/post-configure.d/10-mysql-permissions index b0e8a3f4c..45093c46f 100755 --- a/elements/mysql-common/os-refresh-config/post-configure.d/10-mysql-permissions +++ b/elements/mysql-common/os-refresh-config/post-configure.d/10-mysql-permissions @@ -2,3 +2,13 @@ set -eu chmod 600 /mnt/state/etc/mysql/debian.cnf /mnt/state/etc/mysql/dbusers.json /mnt/state/etc/mysql/static-dbusers.json /mnt/state/root/metadata.my.cnf + +# Galera clustering certificates +if [ -f /etc/ssl/mysql/from-heat.crt ]; then + chown mysql /etc/ssl/mysql/from-heat.crt + chmod 600 /etc/ssl/mysql/from-heat.crt +fi +if [ -f /etc/ssl/mysql/from-heat.key ]; then + chown mysql /etc/ssl/mysql/from-heat.key + chmod 600 /etc/ssl/mysql/from-heat.key +fi