Add audit user to Mariadb

An audit user is added to Mariadb with only the SELECT permission
to mysql database user table for database user audit purposes.

Change-Id: I5d046dd263e0994fea66e69359931b7dba4a766c

mariadb/templates/bin/_start.py.tpl

@@ -99,6 +99,12 @@ if check_env_var("MYSQL_DBSST_USERNAME"):
     mysql_dbsst_username = os.environ['MYSQL_DBSST_USERNAME']
 if check_env_var("MYSQL_DBSST_PASSWORD"):
     mysql_dbsst_password = os.environ['MYSQL_DBSST_PASSWORD']
+if check_env_var("MYSQL_DBAUDIT_USERNAME"):
+    mysql_dbaudit_username = os.environ['MYSQL_DBAUDIT_USERNAME']
+else:
+    mysql_dbaudit_username = ''
+if check_env_var("MYSQL_DBAUDIT_PASSWORD"):
+    mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD']
 
 if mysql_dbadmin_username == mysql_dbsst_username:
     logger.critical(
@@ -258,16 +264,31 @@ def mysqld_bootstrap():
             'mysql_install_db', '--user=mysql',
             "--datadir={0}".format(mysql_data_dir)
         ], logger)
-        template = (
+        if not mysql_dbaudit_username:
-            "DELETE FROM mysql.user ;\n"
+            template = (
-            "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "DELETE FROM mysql.user ;\n"
-            "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
-            "DROP DATABASE IF EXISTS test ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
-            "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "DROP DATABASE IF EXISTS test ;\n"
-            "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
-            "FLUSH PRIVILEGES ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
-            "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                "FLUSH PRIVILEGES ;\n"
-                                mysql_dbsst_username, mysql_dbsst_password))
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password))
+        else:
+            template = (
+                "DELETE FROM mysql.user ;\n"
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "DROP DATABASE IF EXISTS test ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
+                "GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n"
+                "FLUSH PRIVILEGES ;\n"
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password,
+                                    mysql_dbaudit_username, mysql_dbaudit_password))
         bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
         with open(bootstrap_sql_file, 'w') as f:
             f.write(template)
@@ -731,14 +752,27 @@ def run_mysqld(cluster='existing'):
     db_test_dir = "{0}/mysql".format(mysql_data_dir)
     if os.path.isdir(db_test_dir):
         logger.info("Setting the admin passwords to the current value")
-        template = (
+        if not mysql_dbaudit_username:
-            "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+            template = (
-            "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
-            "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
-            "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
-            "FLUSH PRIVILEGES ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
-            "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                "FLUSH PRIVILEGES ;\n"
-                                mysql_dbsst_username, mysql_dbsst_password))
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password))
+        else:
+            template = (
+                "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
+                "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
+                "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
+                "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
+                "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
+                "GRANT SELECT ON mysql.user TO '{4}'@'%' ;\n"
+                "FLUSH PRIVILEGES ;\n"
+                "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
+                                    mysql_dbsst_username, mysql_dbsst_password,
+                                    mysql_dbaudit_username, mysql_dbaudit_password))
         bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
         with open(bootstrap_sql_file, 'w') as f:
             f.write(template)

mariadb/templates/secret-dbaudit-password.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_dbaudit_password }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-dbaudit-password
+type: Opaque
+data:
+  MYSQL_DBAUDIT_PASSWORD: {{ .Values.endpoints.oslo_db.auth.audit.password | b64enc }}
+{{- end }}

mariadb/templates/statefulset.yaml

@@ -163,6 +163,15 @@ spec:
                 secretKeyRef:
                   name: mariadb-dbsst-password
                   key: MYSQL_DBSST_PASSWORD
+            {{- if .Values.endpoints.oslo_db.auth.audit.username }}
+            - name: MYSQL_DBAUDIT_USERNAME
+              value: {{ .Values.endpoints.oslo_db.auth.audit.username }}
+            - name: MYSQL_DBAUDIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb-dbaudit-password
+                  key: MYSQL_DBAUDIT_PASSWORD
+            {{- end }}
           ports:
             - name: mysql
               protocol: TCP

mariadb/values.yaml

@@ -462,6 +462,9 @@ endpoints:
       sst:
         username: sst
         password: password
+      audit:
+        username: audit
+        password: password
       exporter:
         username: exporter
         password: password
@@ -532,6 +535,7 @@ manifests:
   pod_test: true
   secret_dbadmin_password: true
   secret_sst_password: true
+  secret_dbaudit_password: true
   secret_etc: true
   service_discovery: true
   service_ingress: true