diff --git a/charts/mysqlclient-utility/templates/bin/utility/_create_test_database.sh.tpl b/charts/mysqlclient-utility/templates/bin/utility/_create_test_database.sh.tpl index 6025e428..aecd52c9 100644 --- a/charts/mysqlclient-utility/templates/bin/utility/_create_test_database.sh.tpl +++ b/charts/mysqlclient-utility/templates/bin/utility/_create_test_database.sh.tpl @@ -9,7 +9,6 @@ IFS=', ' read -re -a BACKUP_RESTORE_NAMESPACE_ARRAY <<< "$BACKUP_RESTORE_NAMESPA ADMIN_USER_CNF=$(mktemp -p /tmp) CERT_DIR=$(mktemp -d) TLS_SECRET={{ $envAll.Values.conf.mariadb_backup_restore.secrets.tls_secret }} -TEST_DB_USER="${TEST_DB_NAME}_user" function cleanup { rm -f "${ADMIN_USER_CNF}" @@ -78,21 +77,24 @@ do echo "Test database created in namespace $NAMESPACE." fi - # Verify if test user exists already - DB_ARGS="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" - if ${MYSQL} --execute="${DB_ARGS}" 2>/dev/null | grep ${TEST_DB_USER}; then - echo "Test user already exists in namespace ${NAMESPACE}." + if [[ -n ${TEST_DB_USER} ]]; then + # Verify if test user exists already + DB_ARGS="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" + if ${MYSQL} --execute="${DB_ARGS}" 2>/dev/null | grep ${TEST_DB_USER}; then + echo "Test user already exists in namespace ${NAMESPACE}." + else + # Add a test user that has access only to this database + ${MYSQL} --execute="CREATE USER '${TEST_DB_USER}'@'%' IDENTIFIED BY '${TEST_DB_USER}';" + echo "Test user created in namespace ${NAMESPACE}." + fi + + # Grant privileges for the test database to the test user. + # Note: this will not fail if the grants already exist. + DB_ARGS="GRANT ALL PRIVILEGES ON ${TEST_DB_NAME}.* TO '${TEST_DB_USER}'@'%' \ + ;FLUSH PRIVILEGES;" + ${MYSQL} --execute="${DB_ARGS}" + echo "Test user is granted access to the test database in namespace ${NAMESPACE}." else - # Add a test user that has access only to this database - ${MYSQL} --execute="CREATE USER '${TEST_DB_USER}'@'%' IDENTIFIED BY '${TEST_DB_USER}';" - echo "Test user created in namespace ${NAMESPACE}." + echo "No test user configured to access test database in namespace ${NAMESPACE}" fi - - # Grant privileges for the test database to the test user. - # Note: this will not fail if the grants already exist. - DB_ARGS="GRANT ALL PRIVILEGES ON ${TEST_DB_NAME}.* TO '${TEST_DB_USER}'@'%' \ - ;FLUSH PRIVILEGES;" - ${MYSQL} --execute="${DB_ARGS}" - echo "Test user is granted access to the test database in namespace ${NAMESPACE}." - done diff --git a/charts/mysqlclient-utility/templates/bin/utility/_mysqlutils.sh.tpl b/charts/mysqlclient-utility/templates/bin/utility/_mysqlutils.sh.tpl index 7e8d53d8..670bd0db 100644 --- a/charts/mysqlclient-utility/templates/bin/utility/_mysqlutils.sh.tpl +++ b/charts/mysqlclient-utility/templates/bin/utility/_mysqlutils.sh.tpl @@ -1,7 +1,5 @@ #!/bin/bash -TEST_DB_USER="${TEST_DB_NAME}_user" - function database_cmd() { echo "mysql --defaults-file=/etc/mysql/admin_user.cnf --connect-timeout 10" } @@ -110,17 +108,21 @@ function create_user_grants() { CREATE_GRANTS_ARGS=("$@") - MYSQL_CMD=$(database_cmd) - DB_CMD="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" - USERS=$(kubectl exec -it -n "${CREATE_GRANTS_ARGS[1]}" "${CREATE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" 2>/dev/null | grep ${TEST_DB_USER} | wc -l) - if [[ ${USERS} -eq 1 ]]; then - DB_CMD="GRANT ALL PRIVILEGES ON ${TEST_DB_NAME}.* TO '${TEST_DB_USER}'@'%'; \ - FLUSH PRIVILEGES;" + if [[ -n ${TEST_DB_USER} ]]; then + MYSQL_CMD=$(database_cmd) + DB_CMD="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" + USERS=$(kubectl exec -it -n "${CREATE_GRANTS_ARGS[1]}" "${CREATE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" 2>/dev/null | grep ${TEST_DB_USER} | wc -l) + if [[ ${USERS} -eq 1 ]]; then + DB_CMD="GRANT ALL PRIVILEGES ON ${TEST_DB_NAME}.* TO '${TEST_DB_USER}'@'%'; \ + FLUSH PRIVILEGES;" - # Execute the command in the on-demand pod - kubectl exec -it -n "${CREATE_GRANTS_ARGS[1]}" "${CREATE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" + # Execute the command in the on-demand pod + kubectl exec -it -n "${CREATE_GRANTS_ARGS[1]}" "${CREATE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" + else + echo "Test user does not exist in namespace ${NAMESPACE}." + fi else - echo "Test user does not exist in namespace ${NAMESPACE}." + echo "Test user was not deployed in namespace ${NAMESPACE}" fi } @@ -134,46 +136,50 @@ function query_user() { QUERY_ARGS=("$@") - MYSQL_CMD=$(database_cmd) + if [[ -n ${TEST_DB_USER} ]]; then + MYSQL_CMD=$(database_cmd) - # Retrieve the test user - DB_CMD="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" + # Retrieve the test user + DB_CMD="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" - # Execute the command in the on-demand pod - # Result should look like this: (assuming TEST_DB_NAME = test) - # +----------------+ - # | user | - # +----------------+ - # | test_user | - # +----------------+ - # 1 row in set (0.00 sec) - USERS=$(kubectl exec -it -n "${QUERY_ARGS[1]}" "${QUERY_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" | grep ${TEST_DB_USER} | wc -l) - if [[ ${USERS} -ne 1 ]]; then - # There should only be one user - echo "${TEST_DB_USER} does not exist" - return + # Execute the command in the on-demand pod + # Result should look like this: (assuming TEST_DB_NAME = test) + # +----------------+ + # | user | + # +----------------+ + # | test_user | + # +----------------+ + # 1 row in set (0.00 sec) + USERS=$(kubectl exec -it -n "${QUERY_ARGS[1]}" "${QUERY_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" | grep ${TEST_DB_USER} | wc -l) + if [[ ${USERS} -ne 1 ]]; then + # There should only be one user + echo "${TEST_DB_USER} does not exist" + return + fi + + # Retrieve the grants for this test user in the test database + DB_CMD="SHOW GRANTS FOR '${TEST_DB_USER}'@'%';" + + # Execute the command in the on-demand pod + # Result should look like this: (assuming TEST_DB_NAME = test) + # +---------------------------------------------------------------------------------------------------------------+ + # | Grants for test_user@% | + # +---------------------------------------------------------------------------------------------------------------+ + # | GRANT USAGE ON *.* TO 'test_user'@'%' IDENTIFIED BY PASSWORD ''; | + # | GRANT ALL PRIVILEGES ON `test`.* TO 'test_user'@'%' | + # +---------------------------------------------------------------------------------------------------------------+ + # 2 rows in set (0.00 sec) + GRANTS=$(kubectl exec -it -n "${QUERY_ARGS[1]}" "${QUERY_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" | grep "GRANT.*${TEST_DB_USER}" | wc -l) + if [[ ${GRANTS} -ne 2 ]]; then + # There should only be 2 GRANT statements for this user + echo "${TEST_DB_USER} does not have the correct grants" + return + fi + + echo "${TEST_DB_USER} exists and has the correct grants." + else + echo "Test user was not deployed in namespace ${NAMESPACE}" fi - - # Retrieve the grants for this test user in the test database - DB_CMD="SHOW GRANTS FOR '${TEST_DB_USER}'@'%';" - - # Execute the command in the on-demand pod - # Result should look like this: (assuming TEST_DB_NAME = test) - # +---------------------------------------------------------------------------------------------------------------+ - # | Grants for test_user@% | - # +---------------------------------------------------------------------------------------------------------------+ - # | GRANT USAGE ON *.* TO 'test_user'@'%' IDENTIFIED BY PASSWORD ''; | - # | GRANT ALL PRIVILEGES ON `test`.* TO 'test_user'@'%' | - # +---------------------------------------------------------------------------------------------------------------+ - # 2 rows in set (0.00 sec) - GRANTS=$(kubectl exec -it -n "${QUERY_ARGS[1]}" "${QUERY_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" | grep "GRANT.*${TEST_DB_USER}" | wc -l) - if [[ ${GRANTS} -ne 2 ]]; then - # There should only be 2 GRANT statements for this user - echo "${TEST_DB_USER} does not have the correct grants" - return - fi - - echo "${TEST_DB_USER} exists and has the correct grants." } # Params: @@ -185,17 +191,21 @@ function delete_user_grants() { DELETE_GRANTS_ARGS=("$@") - MYSQL_CMD=$(database_cmd) - DB_CMD="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" - USERS=$(kubectl exec -it -n "${DELETE_GRANTS_ARGS[1]}" "${DELETE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" 2>/dev/null | grep ${TEST_DB_USER} | wc -l) - if [[ ${USERS} -eq 1 ]]; then - DB_CMD="REVOKE ALL PRIVILEGES ON ${TEST_DB_NAME}.* FROM '${TEST_DB_USER}'@'%'; \ - FLUSH PRIVILEGES;" + if [[ -n ${TEST_DB_USER} ]]; then + MYSQL_CMD=$(database_cmd) + DB_CMD="SELECT user FROM mysql.user WHERE user='${TEST_DB_USER}';" + USERS=$(kubectl exec -it -n "${DELETE_GRANTS_ARGS[1]}" "${DELETE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" 2>/dev/null | grep ${TEST_DB_USER} | wc -l) + if [[ ${USERS} -eq 1 ]]; then + DB_CMD="REVOKE ALL PRIVILEGES ON ${TEST_DB_NAME}.* FROM '${TEST_DB_USER}'@'%'; \ + FLUSH PRIVILEGES;" - # Execute the command in the on-demand pod - kubectl exec -it -n "${DELETE_GRANTS_ARGS[1]}" "${DELETE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" + # Execute the command in the on-demand pod + kubectl exec -it -n "${DELETE_GRANTS_ARGS[1]}" "${DELETE_GRANTS_ARGS[2]}" -- ${MYSQL_CMD} --execute="${DB_CMD}" + else + echo "Test user does not exist in namespace ${NAMESPACE}." + fi else - echo "Test user does not exist in namespace ${NAMESPACE}." + echo "Test user was not deployed in namespace ${NAMESPACE}" fi } diff --git a/charts/mysqlclient-utility/templates/deployment-utility.yaml b/charts/mysqlclient-utility/templates/deployment-utility.yaml index c121effe..6187f7aa 100644 --- a/charts/mysqlclient-utility/templates/deployment-utility.yaml +++ b/charts/mysqlclient-utility/templates/deployment-utility.yaml @@ -128,6 +128,10 @@ spec: {{- if .Values.manifests.create_test_database }} - name: TEST_DB_NAME value: {{ .Values.conf.mariadb_backup_restore.test_database_name | quote }} + {{- if .Values.conf.mariadb_backup_restore.test_database_user }} + - name: TEST_DB_USER + value: {{ .Values.conf.mariadb_backup_restore.test_database_user | quote }} + {{- end }} {{- end }} - name: BACKUP_RESTORE_SCOPE value: "mariadb" diff --git a/charts/mysqlclient-utility/values.yaml b/charts/mysqlclient-utility/values.yaml index e84b9532..293da4aa 100644 --- a/charts/mysqlclient-utility/values.yaml +++ b/charts/mysqlclient-utility/values.yaml @@ -105,6 +105,7 @@ conf: mariadb_backup_restore: enabled_namespaces: "" test_database_name: "test_database" + test_database_user: "test_database_user" secrets: rgw_secret: mariadb-backup-user conf_secret: mariadb-backup-restore diff --git a/charts/postgresql-utility/templates/bin/utility/_create_test_database.sh.tpl b/charts/postgresql-utility/templates/bin/utility/_create_test_database.sh.tpl index d7b88573..930165d4 100644 --- a/charts/postgresql-utility/templates/bin/utility/_create_test_database.sh.tpl +++ b/charts/postgresql-utility/templates/bin/utility/_create_test_database.sh.tpl @@ -3,7 +3,6 @@ set -e +x IFS=', ' read -re -a BACKUP_RESTORE_NAMESPACE_ARRAY <<< "$BACKUP_RESTORE_NAMESPACE_LIST" -TEST_DB_USER="${TEST_DB_NAME}_user" TEST_TABLE="test_table1" function database_cmd() { @@ -46,16 +45,20 @@ EOF INSERT INTO ${TEST_TABLE} VALUES ( 'name1', '1' ); EOF - # Create a test user if it has not been created before. - if ${PSQL} -tc "SELECT rolname FROM pg_roles WHERE rolname='${TEST_DB_USER}';" | grep ${TEST_DB_USER}; then - echo "Test user already exists in namespace ${NAMESPACE}" - else - ${PSQL} -tc "CREATE ROLE ${TEST_DB_USER};" - echo "Test user created in namespace ${NAMESPACE}." - fi + if [[ -n ${TEST_DB_USER} ]]; then + # Create a test user if it has not been created before. + if ${PSQL} -tc "SELECT rolname FROM pg_roles WHERE rolname='${TEST_DB_USER}';" | grep ${TEST_DB_USER}; then + echo "Test user already exists in namespace ${NAMESPACE}" + else + ${PSQL} -tc "CREATE ROLE ${TEST_DB_USER};" + echo "Test user created in namespace ${NAMESPACE}." + fi - # Note, if the GRANT is already there, the following command will not fail, - # so no need to check existence first. - ${PSQL} -tc "GRANT ALL PRIVILEGES ON DATABASE ${TEST_DB_NAME} TO ${TEST_DB_USER};" - echo "Test user is granted permissions to the test database in namespace ${NAMESPACE}." + # Note, if the GRANT is already there, the following command will not fail, + # so no need to check existence first. + ${PSQL} -tc "GRANT ALL PRIVILEGES ON DATABASE ${TEST_DB_NAME} TO ${TEST_DB_USER};" + echo "Test user is granted permissions to the test database in namespace ${NAMESPACE}." + else + echo "No test user configured to access test database in namespace ${NAMESPACE}" + fi done diff --git a/charts/postgresql-utility/templates/bin/utility/_pgutils.sh.tpl b/charts/postgresql-utility/templates/bin/utility/_pgutils.sh.tpl index 77c2a849..de35bba0 100644 --- a/charts/postgresql-utility/templates/bin/utility/_pgutils.sh.tpl +++ b/charts/postgresql-utility/templates/bin/utility/_pgutils.sh.tpl @@ -1,7 +1,5 @@ #!/bin/bash -TEST_DB_USER="${TEST_DB_NAME}_user" - function database_cmd() { NAMESPACE=$1 @@ -147,14 +145,18 @@ function create_user_grants() { CREATE_GRANTS_ARGS=("$@") NAMESPACE=${CREATE_GRANTS_ARGS[1]} - DB_CMD=$(database_cmd ${NAMESPACE}) + if [[ -n ${TEST_DB_USER} ]]; then + DB_CMD=$(database_cmd ${NAMESPACE}) - # If the test user and grants do not exist already, - # give the test user privilege to access the test database - if ${DB_CMD} -tc "SELECT rolname FROM pg_roles WHERE rolname='${TEST_DB_USER}';" | grep ${TEST_DB_USER}; then - ${DB_CMD} -tc "GRANT ALL PRIVILEGES ON DATABASE ${TEST_DB_NAME} TO ${TEST_DB_USER};" + # If the test user and grants do not exist already, + # give the test user privilege to access the test database + if ${DB_CMD} -tc "SELECT rolname FROM pg_roles WHERE rolname='${TEST_DB_USER}';" | grep ${TEST_DB_USER}; then + ${DB_CMD} -tc "GRANT ALL PRIVILEGES ON DATABASE ${TEST_DB_NAME} TO ${TEST_DB_USER};" + else + echo "Test user does not exist in namespace ${NAMESPACE}" + fi else - echo "Test user does not exist in namespace ${NAMESPACE}" + echo "Test user was not deployed in namespace ${NAMESPACE}" fi } @@ -171,43 +173,47 @@ function query_user() { QUERY_ARGS=("$@") NAMESPACE=${QUERY_ARGS[1]} - DB_CMD=$(database_cmd ${NAMESPACE}) + if [[ -n ${TEST_DB_USER} ]]; then + DB_CMD=$(database_cmd ${NAMESPACE}) - # Sub-command to retrieve the test user - DB_ARGS="\du ${TEST_DB_USER}" + # Sub-command to retrieve the test user + DB_ARGS="\du ${TEST_DB_USER}" - # Execute the command to query for the test user - # Result should look like this: (assuming TEST_DB_NAME = test) - # List of roles - # Role name | Attributes | Member of - # -------------------------+--------------+----------- - # test_user | Cannot login | {} - USERS=$(${DB_CMD} -tc ${DB_ARGS} | grep ${TEST_DB_USER} | wc -l) - if [[ ${USERS} -ne 1 ]]; then - # There should only be one user - echo "${TEST_DB_USER} does not exist" - return + # Execute the command to query for the test user + # Result should look like this: (assuming TEST_DB_NAME = test) + # List of roles + # Role name | Attributes | Member of + # -------------------------+--------------+----------- + # test_user | Cannot login | {} + USERS=$(${DB_CMD} -tc ${DB_ARGS} | grep ${TEST_DB_USER} | wc -l) + if [[ ${USERS} -ne 1 ]]; then + # There should only be one user + echo "${TEST_DB_USER} does not exist" + return + fi + + # Sub-command to retrieve the grants for the test database + DB_ARGS="\l+ ${TEST_DB_NAME}" + + # Execute the command to query the grants for the test user. + # Result should look like this: (assuming TEST_DB_NAME = test) + # List of databases + # Name | Owner | Encoding | Collate | Ctype | Access privileges | Size | Tablespace | Description + # --------------------+----------+----------+------------+------------+--------------------------------------+---------+------------+------------- + # test | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =Tc/postgres +| 7087 kB | pg_default | + # | | | | | postgres=CTc/postgres +| | | + # | | | | | test_user=CTc/postgres | | | + GRANTS=$(${DB_CMD} -tc ${DB_ARGS} | grep "${TEST_DB_USER}=CTc" | wc -l) + if [[ ${GRANTS} -ne 1 ]]; then + # There should only be 1 GRANT statement for this user + echo "${TEST_DB_USER} does not have the correct grants" + return + fi + + echo "${TEST_DB_USER} exists and has the correct grants." + else + echo "Test user was not deployed in namespace ${NAMESPACE}" fi - - # Sub-command to retrieve the grants for the test database - DB_ARGS="\l+ ${TEST_DB_NAME}" - - # Execute the command to query the grants for the test user. - # Result should look like this: (assuming TEST_DB_NAME = test) - # List of databases - # Name | Owner | Encoding | Collate | Ctype | Access privileges | Size | Tablespace | Description - # --------------------+----------+----------+------------+------------+--------------------------------------+---------+------------+------------- - # test | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =Tc/postgres +| 7087 kB | pg_default | - # | | | | | postgres=CTc/postgres +| | | - # | | | | | test_user=CTc/postgres | | | - GRANTS=$(${DB_CMD} -tc ${DB_ARGS} | grep "${TEST_DB_USER}=CTc" | wc -l) - if [[ ${GRANTS} -ne 1 ]]; then - # There should only be 1 GRANT statement for this user - echo "${TEST_DB_USER} does not have the correct grants" - return - fi - - echo "${TEST_DB_USER} exists and has the correct grants." } # Params: @@ -220,13 +226,17 @@ function delete_user_grants() { DELETE_GRANTS_ARGS=("$@") NAMESPACE=${DELETE_GRANTS_ARGS[1]} - DB_CMD=$(database_cmd ${NAMESPACE}) + if [[ -n ${TEST_DB_USER} ]]; then + DB_CMD=$(database_cmd ${NAMESPACE}) - # Execute the commands to delete the grants. - if $DB_CMD -tc "SELECT rolname FROM pg_roles WHERE rolname='${TEST_DB_USER}';" | grep ${TEST_DB_USER}; then - ${DB_CMD} -tc "REVOKE ALL PRIVILEGES ON DATABASE ${TEST_DB_NAME} FROM ${TEST_DB_USER};" + # Execute the commands to delete the grants. + if $DB_CMD -tc "SELECT rolname FROM pg_roles WHERE rolname='${TEST_DB_USER}';" | grep ${TEST_DB_USER}; then + ${DB_CMD} -tc "REVOKE ALL PRIVILEGES ON DATABASE ${TEST_DB_NAME} FROM ${TEST_DB_USER};" + else + echo "Test user does not exist in namespace ${NAMESPACE}" + fi else - echo "Test user does not exist in namespace ${NAMESPACE}" + echo "Test user was not deployed in namespace ${NAMESPACE}" fi } @@ -309,5 +319,3 @@ function delete_backups() { done fi } - - diff --git a/charts/postgresql-utility/templates/deployment-utility.yaml b/charts/postgresql-utility/templates/deployment-utility.yaml index 17cab4fe..89a78f19 100644 --- a/charts/postgresql-utility/templates/deployment-utility.yaml +++ b/charts/postgresql-utility/templates/deployment-utility.yaml @@ -129,6 +129,10 @@ spec: {{- if .Values.manifests.create_test_database }} - name: TEST_DB_NAME value: {{ .Values.conf.postgresql_backup_restore.test_database_name | quote }} + {{- if .Values.conf.postgresql_backup_restore.test_database_user }} + - name: TEST_DB_USER + value: {{ .Values.conf.postgresql_backup_restore.test_database_user | quote }} + {{- end }} {{- end }} volumeMounts: - name: postgresql-utility-bin diff --git a/charts/postgresql-utility/values.yaml b/charts/postgresql-utility/values.yaml index cb29c6a5..a868934a 100644 --- a/charts/postgresql-utility/values.yaml +++ b/charts/postgresql-utility/values.yaml @@ -109,6 +109,7 @@ conf: postgresql_backup_restore: enabled_namespaces: "openstack" test_database_name: "test_database" + test_database_user: "test_database_user" secrets: rgw_secret: postgresql-backup-user conf_secret: postgresql-backup-restore