Add audit user to Mariadb

An audit user is added to Mariadb with only the SELECT permission to mysql database user table for database user audit purposes. Change-Id: I5d046dd263e0994fea66e69359931b7dba4a766c
2020-01-17 22:29:27 +00:00 · 2020-01-17 22:29:27 +00:00 · a4568f31e2
commit a4568f31e2
parent 6898fa7f9e
4 changed files with 92 additions and 18 deletions
--- a/mariadb/templates/bin/_start.py.tpl
+++ b/mariadb/templates/bin/_start.py.tpl
@ -99,6 +99,12 @@ if check_env_var("MYSQL_DBSST_USERNAME"):
    mysql_dbsst_username = os.environ['MYSQL_DBSST_USERNAME']
 if check_env_var("MYSQL_DBSST_PASSWORD"):
    mysql_dbsst_password = os.environ['MYSQL_DBSST_PASSWORD']
+if check_env_var("MYSQL_DBAUDIT_USERNAME"):
+    mysql_dbaudit_username = os.environ['MYSQL_DBAUDIT_USERNAME']
+else:
+    mysql_dbaudit_username = ''
+if check_env_var("MYSQL_DBAUDIT_PASSWORD"):
+    mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD']

 if mysql_dbadmin_username == mysql_dbsst_username:
    logger.critical(
@ -258,16 +264,31 @@ def mysqld_bootstrap():
            'mysql_install_db', '--user=mysql',
            "--datadir={0}".format(mysql_data_dir)
        ], logger)
-        template = (
-            "DELETE FROM mysql.user ;\n"
-            "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
-            "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
-            "DROP DATABASE IF EXISTS test ;\n"
-            "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
-            "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
-            "FLUSH PRIVILEGES ;\n"
-            "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
-                                mysql_dbsst_username, mysql_dbsst_password))
+        if not mysql_dbaudit_username:
+            template = (
+                "DELETE FROM mysql.user ;\n"
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "DROP DATABASE IF EXISTS test ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "FLUSH PRIVILEGES ;\n"
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password))
+        else:
+            template = (
+                "DELETE FROM mysql.user ;\n"
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "DROP DATABASE IF EXISTS test ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
+                "GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n"
+                "FLUSH PRIVILEGES ;\n"
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password,
+                                    mysql_dbaudit_username, mysql_dbaudit_password))
        bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
        with open(bootstrap_sql_file, 'w') as f:
            f.write(template)
@ -731,14 +752,27 @@ def run_mysqld(cluster='existing'):
    db_test_dir = "{0}/mysql".format(mysql_data_dir)
    if os.path.isdir(db_test_dir):
        logger.info("Setting the admin passwords to the current value")
-        template = (
-            "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
-            "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
-            "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
-            "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
-            "FLUSH PRIVILEGES ;\n"
-            "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
-                                mysql_dbsst_username, mysql_dbsst_password))
+        if not mysql_dbaudit_username:
+            template = (
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "FLUSH PRIVILEGES ;\n"
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password))
+        else:
+            template = (
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
+                "GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n"
+                "FLUSH PRIVILEGES ;\n"
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password,
+                                    mysql_dbaudit_username, mysql_dbaudit_password))
        bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
        with open(bootstrap_sql_file, 'w') as f:
            f.write(template)
--- a/mariadb/templates/secret-dbaudit-password.yaml
+++ b/mariadb/templates/secret-dbaudit-password.yaml
@ -0,0 +1,27 @@
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_dbaudit_password }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-dbaudit-password
+type: Opaque
+data:
+  MYSQL_DBAUDIT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.audit.password | b64enc }}
+{{- end }}
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@ -163,6 +163,15 @@ spec:
                secretKeyRef:
                  name: mariadb-dbsst-password
                  key: MYSQL_DBSST_PASSWORD
+            {{- if .Values.endpoints.oslo_db.auth.audit.username }}
+            - name: MYSQL_DBAUDIT_USERNAME
+              value: {{ .Values.endpoints.oslo_db.auth.audit.username }}
+            - name: MYSQL_DBAUDIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb-dbaudit-password
+                  key: MYSQL_DBAUDIT_PASSWORD
+            {{- end }}
          ports:
            - name: mysql
              protocol: TCP
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@ -462,6 +462,9 @@ endpoints:
      sst:
        username: sst
        password: password
+      audit:
+        username: audit
+        password: password
      exporter:
        username: exporter
        password: password
@ -532,6 +535,7 @@ manifests:
  pod_test: true
  secret_dbadmin_password: true
  secret_sst_password: true
+  secret_dbaudit_password: true
  secret_etc: true
  service_discovery: true
  service_ingress: true