Add audit user to Mariadb

An audit user is added to Mariadb with only the SELECT permission
to mysql database user table for database user audit purposes.

Change-Id: I5d046dd263e0994fea66e69359931b7dba4a766c
This commit is contained in:
Sophie Huang 2020-01-17 22:29:27 +00:00
parent 6898fa7f9e
commit a4568f31e2
4 changed files with 92 additions and 18 deletions

View File

@ -99,6 +99,12 @@ if check_env_var("MYSQL_DBSST_USERNAME"):
mysql_dbsst_username = os.environ['MYSQL_DBSST_USERNAME'] mysql_dbsst_username = os.environ['MYSQL_DBSST_USERNAME']
if check_env_var("MYSQL_DBSST_PASSWORD"): if check_env_var("MYSQL_DBSST_PASSWORD"):
mysql_dbsst_password = os.environ['MYSQL_DBSST_PASSWORD'] mysql_dbsst_password = os.environ['MYSQL_DBSST_PASSWORD']
if check_env_var("MYSQL_DBAUDIT_USERNAME"):
mysql_dbaudit_username = os.environ['MYSQL_DBAUDIT_USERNAME']
else:
mysql_dbaudit_username = ''
if check_env_var("MYSQL_DBAUDIT_PASSWORD"):
mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD']
if mysql_dbadmin_username == mysql_dbsst_username: if mysql_dbadmin_username == mysql_dbsst_username:
logger.critical( logger.critical(
@ -258,16 +264,31 @@ def mysqld_bootstrap():
'mysql_install_db', '--user=mysql', 'mysql_install_db', '--user=mysql',
"--datadir={0}".format(mysql_data_dir) "--datadir={0}".format(mysql_data_dir)
], logger) ], logger)
template = ( if not mysql_dbaudit_username:
"DELETE FROM mysql.user ;\n" template = (
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" "DELETE FROM mysql.user ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"DROP DATABASE IF EXISTS test ;\n" "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" "DROP DATABASE IF EXISTS test ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"FLUSH PRIVILEGES ;\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, "FLUSH PRIVILEGES ;\n"
mysql_dbsst_username, mysql_dbsst_password)) "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password))
else:
template = (
"DELETE FROM mysql.user ;\n"
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"DROP DATABASE IF EXISTS test ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
"GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n"
"FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password,
mysql_dbaudit_username, mysql_dbaudit_password))
bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
with open(bootstrap_sql_file, 'w') as f: with open(bootstrap_sql_file, 'w') as f:
f.write(template) f.write(template)
@ -731,14 +752,27 @@ def run_mysqld(cluster='existing'):
db_test_dir = "{0}/mysql".format(mysql_data_dir) db_test_dir = "{0}/mysql".format(mysql_data_dir)
if os.path.isdir(db_test_dir): if os.path.isdir(db_test_dir):
logger.info("Setting the admin passwords to the current value") logger.info("Setting the admin passwords to the current value")
template = ( if not mysql_dbaudit_username:
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" template = (
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"FLUSH PRIVILEGES ;\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, "FLUSH PRIVILEGES ;\n"
mysql_dbsst_username, mysql_dbsst_password)) "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password))
else:
template = (
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
"GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n"
"FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password,
mysql_dbaudit_username, mysql_dbaudit_password))
bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
with open(bootstrap_sql_file, 'w') as f: with open(bootstrap_sql_file, 'w') as f:
f.write(template) f.write(template)

View File

@ -0,0 +1,27 @@
{{/*
Copyright 2020 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_dbaudit_password }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: mariadb-dbaudit-password
type: Opaque
data:
MYSQL_DBAUDIT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.audit.password | b64enc }}
{{- end }}

View File

@ -163,6 +163,15 @@ spec:
secretKeyRef: secretKeyRef:
name: mariadb-dbsst-password name: mariadb-dbsst-password
key: MYSQL_DBSST_PASSWORD key: MYSQL_DBSST_PASSWORD
{{- if .Values.endpoints.oslo_db.auth.audit.username }}
- name: MYSQL_DBAUDIT_USERNAME
value: {{ .Values.endpoints.oslo_db.auth.audit.username }}
- name: MYSQL_DBAUDIT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-dbaudit-password
key: MYSQL_DBAUDIT_PASSWORD
{{- end }}
ports: ports:
- name: mysql - name: mysql
protocol: TCP protocol: TCP

View File

@ -462,6 +462,9 @@ endpoints:
sst: sst:
username: sst username: sst
password: password password: password
audit:
username: audit
password: password
exporter: exporter:
username: exporter username: exporter
password: password password: password
@ -532,6 +535,7 @@ manifests:
pod_test: true pod_test: true
secret_dbadmin_password: true secret_dbadmin_password: true
secret_sst_password: true secret_sst_password: true
secret_dbaudit_password: true
secret_etc: true secret_etc: true
service_discovery: true service_discovery: true
service_ingress: true service_ingress: true