openstack/trove
Code Issues Proposed changes

Implement alternate root privileges

Browse Source 
Addresses comments from a previous review
Leave configs in configs!
Cleaned up unit test, removed mock too

Implements: blueprint create-restricted-root-account

Change-Id: I43327c97c7b80dc99a2cfe071562d01f2d0f54a4
This commit is contained in:
daniel-a-nguyen 2013-02-19 13:49:41 -08:00
parent 7f59a904d2
commit 460aa6abde
4 changed files with 182 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
etc/reddwarf/reddwarf-guestagent.conf.sample
View File

@ -48,6 +48,13 @@ reddwarf_auth_url = http://0.0.0.0:5000/v2.0
# Manager impl for the taskmanager
guestagent_manager=reddwarf.guestagent.manager.Manager
# Root configuration
root_grant = ALL
root_grant_option = True
#root_grant = ALTER ROUTINE, CREATE, ALTER, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, CREATE USER, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, PROCESS, REFERENCES, SELECT, SHOW DATABASES, SHOW VIEW, TRIGGER, UPDATE, USAGE
#root_grant_option = False
# ============ kombu connection options ========================
rabbit_host=10.0.0.1

2
reddwarf/common/cfg.py
View File

@ -91,6 +91,8 @@ common_opts = [
cfg.IntOpt('dns_time_out', default=60 * 2),
cfg.IntOpt('resize_time_out', default=60 * 10),
cfg.IntOpt('revert_time_out', default=60 * 10),
cfg.ListOpt('root_grant', default=['ALL']),
cfg.BoolOpt('root_grant_option', default=True),
]

12
reddwarf/guestagent/dbaas.py
View File

@ -416,8 +416,16 @@ class MySqlAdmin(object):
clear=user.password)
t = text(str(uu))
client.execute(t)
g = query.Grant(permissions="ALL", user=user.name, host=host,
grant_option=True, clear=user.password)
LOG.debug("CONF.root_grant: %s CONF.root_grant_option: %s" %
(CONF.root_grant, CONF.root_grant_option))
g = query.Grant(permissions=CONF.root_grant,
user=user.name,
host=host,
grant_option=CONF.root_grant_option,
clear=user.password)
t = text(str(g))
client.execute(t)
return user.serialize()

163
reddwarf/tests/unittests/guestagent/test_query.py
View File

@ -72,3 +72,166 @@ class QueryTest(testtools.TestCase):
limit_count = 20
myQuery = query.Query(limit=limit_count)
self.assertEqual('LIMIT 20', myQuery._limit)
def test_grant_no_arg_constr(self):
grant = query.Grant()
self.assertIsNotNone(grant)
self.assertEqual("GRANT USAGE ON *.* "
"TO ``@`%` WITH GRANT OPTION;",
str(grant))
def test_grant_all_with_grant_option(self):
permissions = ['ALL']
user_name = 'root'
user_password = 'password123'
host = 'localhost'
# grant_option defaults to True
grant = query.Grant(permissions=permissions,
user=user_name,
host=host,
clear=user_password)
self.assertEqual("GRANT ALL PRIVILEGES ON *.* TO "
"`root`@`localhost` "
"IDENTIFIED BY 'password123' "
"WITH GRANT OPTION;",
str(grant))
def test_grant_all_with_explicit_grant_option(self):
permissions = ['ALL', 'GRANT OPTION']
user_name = 'root'
user_password = 'password123'
host = 'localhost'
grant = query.Grant(permissions=permissions,
user=user_name,
host=host,
clear=user_password)
self.assertEqual("GRANT ALL PRIVILEGES ON *.* TO "
"`root`@`localhost` "
"IDENTIFIED BY 'password123' "
"WITH GRANT OPTION;",
str(grant))
def test_grant_specify_permissions(self):
permissions = ['ALTER ROUTINE',
'CREATE',
'ALTER',
'CREATE ROUTINE',
'CREATE TEMPORARY TABLES',
'CREATE VIEW',
'CREATE USER',
'DELETE',
'DROP',
'EVENT',
'EXECUTE',
'INDEX',
'INSERT',
'LOCK TABLES',
'PROCESS',
'REFERENCES',
'SELECT',
'SHOW DATABASES',
'SHOW VIEW',
'TRIGGER',
'UPDATE',
'USAGE']
user_name = 'root'
user_password = 'password123'
host = 'localhost'
grant = query.Grant(permissions=permissions,
user=user_name,
host=host,
clear=user_password)
self.assertEqual("GRANT ALTER, "
"ALTER ROUTINE, "
"CREATE, "
"CREATE ROUTINE, "
"CREATE TEMPORARY TABLES, "
"CREATE USER, "
"CREATE VIEW, "
"DELETE, "
"DROP, "
"EVENT, "
"EXECUTE, "
"INDEX, "
"INSERT, "
"LOCK TABLES, "
"PROCESS, "
"REFERENCES, "
"SELECT, "
"SHOW DATABASES, "
"SHOW VIEW, "
"TRIGGER, "
"UPDATE, "
"USAGE ON *.* TO "
"`root`@`localhost` "
"IDENTIFIED BY "
"'password123' WITH GRANT OPTION;",
str(grant))
def test_grant_specify_duplicate_permissions(self):
permissions = ['ALTER ROUTINE',
'CREATE',
'CREATE',
'DROP',
'DELETE',
'DELETE',
'ALTER',
'CREATE ROUTINE',
'CREATE TEMPORARY TABLES',
'CREATE VIEW',
'CREATE USER',
'DELETE',
'DROP',
'EVENT',
'EXECUTE',
'INDEX',
'INSERT',
'LOCK TABLES',
'PROCESS',
'REFERENCES',
'SELECT',
'SHOW DATABASES',
'SHOW VIEW',
'TRIGGER',
'UPDATE',
'USAGE']
user_name = 'root'
user_password = 'password123'
host = 'localhost'
grant = query.Grant(permissions=permissions,
user=user_name,
host=host,
clear=user_password)
self.assertEqual("GRANT ALTER, "
"ALTER ROUTINE, "
"CREATE, "
"CREATE ROUTINE, "
"CREATE TEMPORARY TABLES, "
"CREATE USER, "
"CREATE VIEW, "
"DELETE, "
"DROP, "
"EVENT, "
"EXECUTE, "
"INDEX, "
"INSERT, "
"LOCK TABLES, "
"PROCESS, "
"REFERENCES, "
"SELECT, "
"SHOW DATABASES, "
"SHOW VIEW, "
"TRIGGER, "
"UPDATE, "
"USAGE ON *.* TO "
"`root`@`localhost` "
"IDENTIFIED BY "
"'password123' WITH GRANT OPTION;",
str(grant))