Bug 1467964 - MySQL Openstack service user restriction
MySQL Openstack service user restriction
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
10.0 (Newton)
Unspecified Unspecified
high Severity high
: ---
: 12.0 (Pike)
Assigned To: Michael Bayer
Udi Shkalim
: FutureFeature, Reopened, ZStream
Depends On: 1489007
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-05 12:05 EDT by Sid Ahmed Sadouni
Modified: 2018-05-16 15:06 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1491135 (view as bug list)
Environment:
Last Closed: 2018-01-31 16:09:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
moves openstack services to talk to a local haproxy -> galera server (4.28 KB, application/x-shellscript)
2017-07-31 16:50 EDT, Michael Bayer
no flags Details
account_per_controller.sh, skips services that aren't DB configured (4.32 KB, application/x-shellscript)
2017-08-01 17:21 EDT, Michael Bayer
no flags Details
account_per_controller.sh, writes entries to a per-controller cnf file (8.10 KB, application/x-shellscript)
2017-08-02 18:26 EDT, Michael Bayer
no flags Details
sample_output.txt from controller 2 (20.44 KB, text/plain)
2017-08-02 18:31 EDT, Michael Bayer
no flags Details
sample account_per_controller.cnf file (1.26 KB, text/plain)
2017-08-02 18:35 EDT, Michael Bayer
no flags Details
account_per_controller.sh, writes entries to a per-controller cnf file (8.59 KB, application/x-shellscript)
2017-09-01 11:50 EDT, Michael Bayer
no flags Details

  None (edit)
Description Sid Ahmed Sadouni 2017-07-05 12:05:01 EDT
We have an important customer who wants to :

- create a mysql user for each openstack component and each openstack controller node. 
ie : neutron[1..3], cinder[1..3], nova etc.
- Restrict the origin (ip address) of connection for each mysql user according to the openstack node from where this account is used.

This is a restriction from ANSSI (french security agency).

Is it something "doable", but more than "doable" don't you think that this may break lifecycle. As this is not a PoC but will be in production.
Comment 2 Emilien Macchi 2017-07-05 13:22:27 EDT
I haven't tried it but I think we would need to change <service_name>::db::mysql::allowed_hosts to use a list of IPs where the service is running instead of mysql_bind_host value.

I'm assigning the BZ to PIDONE for now as it's purely how we configure MySQL resources. Let me know if you need help from DFG:DF.
Comment 8 Michael Bayer 2017-07-31 16:50 EDT
Created attachment 1307247 [details]
moves openstack services to talk to a local haproxy -> galera server

I've tested this once so far and will be running it a few more times on some tripleo deployments to learn more about it.
Comment 9 Michael Bayer 2017-08-01 17:21 EDT
Created attachment 1307808 [details]
account_per_controller.sh, skips services that aren't DB configured
Comment 13 Michael Bayer 2017-08-02 18:26 EDT
Created attachment 1308526 [details]
account_per_controller.sh, writes entries to a per-controller cnf file

the latest, which uses the approach of writing out usernames, passwords, and ip numbers to /etc/my.cnf.d/account_per_controller.cnf.  The URLs inside of each openstack .conf file now name only the database name and the name of an entry inside of account_per_controller.cnf.  This makes the URLs in the openstack conf files controller-agnostic, and safe for storage in the database itself where they can be consumed by any controller; the local controller then provides context to the URL that contains controller-specific usernames and passwords.   This is not unlike the idea of using datasource names (DSNs) as in ODBC.

The usernames are also themselves numbered from the controller itself, e.g. openstack-controller-0 would grant nova0, keystone0, etc.
Comment 14 Michael Bayer 2017-08-02 18:31 EDT
Created attachment 1308527 [details]
sample_output.txt from controller 2

this is a test run from controller2.  The lines with plus signs show when it is making changes to things.  Note that you don't see the DROP USER commands here because they were already run on controller0, and most of the work in this particular run is adding new "<username>2" user accounts, e.g. nova2, nova_api2, neutron2, etc. as well as the entries to account_per_controller.cnf local to controller2.

The script has many checks for if it's been run already and needs to only refresh things, or if parts of its work are already done, etc.    The yum install of openstack-utils gives us the openstack-config command, which is a front-end to a tool called crudini which allows us to read and write ini files.
Comment 15 Michael Bayer 2017-08-02 18:35 EDT
Created attachment 1308528 [details]
sample account_per_controller.cnf file

this is a sample of the .cnf file itself which contains an entry for every distinct openstack-service mysql username encountered in the overcloud, and within it defines controller-local aspects including a new username, password, and the local ip number with port 3307, which will refer to the local haproxy service.   The use of this file replaces the use of the tripleo.cnf file, which was added in ocata to implement the "bind_address" setting in a controller-agnostic way.  This bind_address is replicated in the new account_per_controller.sh file; however note that it isn't actually necessary in this configuration, since the purpose of the bind_address was to allow the TCP connection to close properly when pacemaker moves the galera VIP around; however we're no longer using a galera VIP so this is no longer needed.
Comment 17 Michael Bayer 2017-09-01 11:50 EDT
Created attachment 1321013 [details]
account_per_controller.sh, writes entries to a per-controller cnf file

does a curl download of the openstack-config app and runs directly from the python command, rather than installing from any repos.  checks for URLs that aren't MySQL (like mongodb) and skips.
Comment 34 Chris Jones 2018-01-31 16:09:16 EST
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.

Note You need to log in before you can comment on or make changes to this bug.