summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichele Baldessari <michele@acksyn.org>2016-05-10 19:14:54 +0000
committerGiulio Fidente <gfidente@redhat.com>2016-05-19 06:38:55 +0000
commite734d752d4f37e93a1637560f9f515320bbe68c5 (patch)
treeeda203fe3ed87c4d52956c067017bd6935f0f1b3
parentaeb9482f4b1ec9d78dc3ac44ee3c0b180cd27574 (diff)
Tighten the access rules for galera
Set a password for the 'root' db user and add an additional 'clustercheck' user to be used only by the resource agent. The password for this 'clustercheck' user is randomly generated via a heat parameter. Before this change the workflow to set up the database in the manifest is the following: - Step 1 -> Install all the basic galera packages and basic configuration - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty password - Step 2.b -> Start up galera-monitor xinetd service - Step 2.c -> Start pacemaker ocf resource (no root user has been created so there will be an empty password per default) - Step 2.d -> Wait for /bin/clustercheck to return success and then proceed with the other steps After this change the workflow is slightly more complex because there is a bit of a chicken and egg problem: - Step 1 -> Install all the basic galera packages and basic configuration - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty password unless the file does exists already and has a clustercheck user configured - Step 2.b -> Start up galera-monitor xinetd service - Step 2.c -> Start pacemaker ocf resource (no root user has been created yet, so there will be an empty password per default) - Step 2.d -> Wait for /bin/clustercheck to return success and then proceed with the other steps - Step 2.e -> Create clustercheck db user - Step 3/4 -> Create /etc/sysconfig/clustercheck with clustercheck user credentials - Step 5.a -> Update the sql root password on the each node (at this stage - Step 5.b -> Create /root/.my.cnf with proper credentials on all nodes Note that we cannot really create the root/clustercheck users right at step 1 because the db is not running yet (an approach that spawned mysqld on each node, created the users and shut it down, was tried but was much more complex and cannot work on updating existing setups) Given the new way of solving the root password issue, we also need to make sure that Step1 and Step2 are running on updates. Closes-bug: #1581677 Depends-On: I83eed8885503043e881db34411616f9726e00352 Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1
-rw-r--r--puppet/controller-post.yaml2
-rw-r--r--puppet/controller.yaml5
-rw-r--r--puppet/manifests/overcloud_controller_pacemaker.pp72
3 files changed, 68 insertions, 11 deletions
diff --git a/puppet/controller-post.yaml b/puppet/controller-post.yaml
index 705e4b90..36f9b4f8 100644
--- a/puppet/controller-post.yaml
+++ b/puppet/controller-post.yaml
@@ -55,7 +55,6 @@ resources:
input_values:
step: 1
update_identifier: {get_param: NodeConfigIdentifiers}
- actions: ['CREATE'] # no need for two passes on an UPDATE
ControllerServicesBaseDeployment_Step2:
type: OS::Heat::StructuredDeployments
@@ -67,7 +66,6 @@ resources:
input_values:
step: 2
update_identifier: {get_param: NodeConfigIdentifiers}
- actions: ['CREATE'] # no need for two passes on an UPDATE
ControllerOvercloudServicesDeployment_Step3:
type: OS::Heat::StructuredDeployments
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index d38a24e7..289d71a0 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -310,6 +310,9 @@ parameters:
description: Configures MySQL max_connections config setting
type: number
default: 4096
+ MysqlClustercheckPassword:
+ type: string
+ hidden: true
MysqlRootPassword:
type: string
hidden: true
@@ -952,6 +955,7 @@ resources:
mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
mysql_max_connections: {get_param: MysqlMaxConnections}
mysql_root_password: {get_param: MysqlRootPassword}
+ mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
mysql_cluster_name:
str_replace:
template: tripleo-CLUSTER
@@ -1376,6 +1380,7 @@ resources:
mysql_innodb_buffer_pool_size: {get_input: mysql_innodb_buffer_pool_size}
mysql_max_connections: {get_input: mysql_max_connections}
mysql::server::root_password: {get_input: mysql_root_password}
+ mysql_clustercheck_password: {get_input: mysql_clustercheck_password}
mysql_cluster_name: {get_input: mysql_cluster_name}
mysql_bind_host: {get_input: mysql_network}
mysql_virtual_ip: {get_input: mysql_virtual_ip}
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 1890918e..b99f434d 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -349,6 +349,16 @@ if hiera('step') >= 2 {
}
}
+ $mysql_root_password = hiera('mysql::server::root_password')
+ $mysql_clustercheck_password = hiera('mysql_clustercheck_password')
+ # This step is to create a sysconfig clustercheck file with the root user and empty password
+ # on the first install only (because later on the clustercheck db user will be used)
+ # We are using exec and not file in order to not have duplicate definition errors in puppet
+ # when we later set the the file to contain the clustercheck data
+ exec { 'create-root-sysconfig-clustercheck':
+ command => "/bin/echo 'MYSQL_USERNAME=root\nMYSQL_PASSWORD=\'\'\nMYSQL_HOST=localhost\n' > /etc/sysconfig/clustercheck",
+ unless => '/bin/test -e /etc/sysconfig/clustercheck && grep -q clustercheck /etc/sysconfig/clustercheck',
+ }
exec { 'galera-ready' :
command => '/usr/bin/clustercheck >/dev/null',
@@ -356,14 +366,7 @@ if hiera('step') >= 2 {
tries => 180,
try_sleep => 10,
environment => ['AVAILABLE_WHEN_READONLY=0'],
- require => File['/etc/sysconfig/clustercheck'],
- }
-
- file { '/etc/sysconfig/clustercheck' :
- ensure => file,
- content => "MYSQL_USERNAME=root\n
-MYSQL_PASSWORD=''\n
-MYSQL_HOST=localhost\n",
+ require => Exec['create-root-sysconfig-clustercheck'],
}
xinetd::service { 'galera-monitor' :
@@ -376,7 +379,24 @@ MYSQL_HOST=localhost\n",
service_type => 'UNLISTED',
user => 'root',
group => 'root',
- require => File['/etc/sysconfig/clustercheck'],
+ require => Exec['create-root-sysconfig-clustercheck'],
+ }
+ # We add a clustercheck db user and we will switch /etc/sysconfig/clustercheck
+ # to it in a later step. We do this only on one node as it will replicate on
+ # the other members. We also make sure that the permissions are the minimum necessary
+ if $pacemaker_master {
+ mysql_user { 'clustercheck@localhost':
+ ensure => 'present',
+ password_hash => mysql_password($mysql_clustercheck_password),
+ require => Exec['galera-ready'],
+ }
+ mysql_grant { 'clustercheck@localhost/*.*':
+ ensure => 'present',
+ options => ['GRANT'],
+ privileges => ['PROCESS'],
+ table => '*.*',
+ user => 'clustercheck@localhost',
+ }
}
# Create all the database schemas
@@ -470,6 +490,17 @@ MYSQL_HOST=localhost\n",
} #END STEP 2
if hiera('step') >= 4 or ( hiera('step') >= 3 and $sync_db ) {
+ # At this stage we are guaranteed that the clustercheck db user exists
+ # so we switch the resource agent to use it.
+ file { '/etc/sysconfig/clustercheck' :
+ ensure => file,
+ mode => '0600',
+ owner => 'root',
+ group => 'root',
+ content => "MYSQL_USERNAME=clustercheck\n
+MYSQL_PASSWORD='${mysql_clustercheck_password}'\n
+MYSQL_HOST=localhost\n",
+ }
$nova_ipv6 = hiera('nova::use_ipv6', false)
if $nova_ipv6 {
@@ -1007,6 +1038,29 @@ if hiera('step') >= 4 or ( hiera('step') >= 3 and $sync_db ) {
} #END STEP 4
if hiera('step') >= 5 {
+ # We now make sure that the root db password is set to a random one
+ # At first installation /root/.my.cnf will be empty and we connect without a root
+ # password. On second runs or updates /root/.my.cnf will already be populated
+ # with proper credentials. This step happens on every node because this sql
+ # statement does not automatically replicate across nodes.
+ exec { 'galera-set-root-password':
+ command => "/bin/touch /root/.my.cnf && /bin/echo \"UPDATE mysql.user SET Password = PASSWORD('${mysql_root_password}') WHERE user = 'root'; flush privileges;\" | /bin/mysql --defaults-extra-file=/root/.my.cnf -u root",
+ }
+ file { '/root/.my.cnf' :
+ ensure => file,
+ mode => '0600',
+ owner => 'root',
+ group => 'root',
+ content => "[client]
+user=root
+password=\"${mysql_root_password}\"
+
+[mysql]
+user=root
+password=\"${mysql_root_password}\"",
+ require => Exec['galera-set-root-password'],
+ }
+
$nova_enable_db_purge = hiera('nova_enable_db_purge', true)
$cinder_enable_db_purge = hiera('cinder_enable_db_purge', true)
$heat_enable_db_purge = hiera('heat_enable_db_purge', true)