[Update]Implement X.509 auth for MySQL and Aodh
* Fixed requirement
* Some cosmetic change
* Kitchen pillars updated
Change-Id: I86db107abd8df40529d0097db0d1fed46b4d5605
Related-PROD: PROD-22742
diff --git a/.kitchen.yml b/.kitchen.yml
index 8b58d71..44ccfb7 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -34,8 +34,30 @@
identity:
protocol: https
database:
+ x509:
+ enabled: True
+ ca_file: /etc/aodh/ssl/mysql/ca-cert.pem
+ key_file: /etc/aodh/ssl/mysql/client-key.pem
+ cert_file: /etc/aodh/ssl/mysql/client-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIGSjCCBDKgAwIBAgIJAIHRPs2rZbLvMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIJKQIBAAKCAgEAq0m4kOIITliYea07yJnlSRNY0o6NaykiteSfHGauiub4lNQJ
+ -----END RSA PRIVATE KEY-----
ssl:
enabled: True
+ cacert_file: /etc/aodh/ssl/mysql/ca-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
message_queue:
port: 5671
ssl:
diff --git a/README.rst b/README.rst
index 3a69669..c0816e5 100644
--- a/README.rst
+++ b/README.rst
@@ -99,6 +99,29 @@
ossyslog:
enabled: true
+Enable x509 and ssl communication between Aodh and Galera cluster.
+---------------------
+By default communication between Aodh and Galera is unsecure.
+
+aodh:
+ server:
+ database:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+aodh:
+ server:
+ database:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
Development and testing
=======================
diff --git a/aodh/_ssl/mysql.sls b/aodh/_ssl/mysql.sls
new file mode 100644
index 0000000..4585513
--- /dev/null
+++ b/aodh/_ssl/mysql.sls
@@ -0,0 +1,97 @@
+{%- from "aodh/map.jinja" import server with context %}
+
+aodh_ssl_mysql:
+ test.show_notification:
+ - text: "Running aodh._ssl.mysql"
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_aodh_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: aodh:server:database:x509:cacert
+ - mode: 444
+ - user: aodh
+ - group: aodh
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_aodh_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: aodh:server:database:x509:cert
+ - mode: 440
+ - user: aodh
+ - group: aodh
+ - makedirs: true
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+ - aodh_apache_restart
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+ - aodh_apache_restart
+ {%- endif %}
+
+mysql_aodh_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: aodh:server:database:x509:key
+ - mode: 400
+ - user: aodh
+ - group: aodh
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_aodh_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: aodh
+ - group: aodh
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_aodh:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: aodh:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+ - aodh_apache_restart
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+ - aodh_apache_restart
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/aodh/files/pike/aodh.conf.Debian b/aodh/files/pike/aodh.conf.Debian
index 5e8b0f0..d45a10b 100644
--- a/aodh/files/pike/aodh.conf.Debian
+++ b/aodh/files/pike/aodh.conf.Debian
@@ -1,4 +1,12 @@
{%- from "aodh/map.jinja" import server with context -%}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
#
@@ -522,7 +530,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
{%- set _db_engine = server.database.engine if '+' in server.database.engine else server.database.engine ~ '+pymysql' %}
-connection = {{ _db_engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ _db_engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/aodh/server.sls b/aodh/server.sls
index f1b8c83..36e84d7 100644
--- a/aodh/server.sls
+++ b/aodh/server.sls
@@ -1,11 +1,18 @@
{%- from "aodh/map.jinja" import server with context %}
+
{%- if server.enabled %}
+
# Exclude unsupported openstack versions
{%- if server.version not in ['liberty', 'juno', 'kilo'] %}
+include:
+ - aodh._ssl.mysql
+
aodh_server_packages:
pkg.installed:
- names: {{ server.pkgs }}
+ - require_in:
+ - sls: aodh._ssl.mysql
/etc/aodh/aodh.conf:
file.managed:
@@ -15,6 +22,7 @@
- group: aodh
- require:
- pkg: aodh_server_packages
+ - sls: aodh._ssl.mysql
{% for service_name in server.services %}
{{ service_name }}_default:
@@ -186,32 +194,6 @@
{%- endif %}
{%- endif %}
-
-{%- if server.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_aodh_server:
-{%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: aodh:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
- - require_in:
- - file: /etc/aodh/aodh.conf
- - watch_in:
- - aodh_server_services
- - aodh_apache_restart
-
-{%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
- - require_in:
- - file: /etc/aodh/aodh.conf
- - watch_in:
- - aodh_server_services
- - aodh_apache_restart
-{%- endif %}
-{%- endif %}
-
{%- endif %}
aodh_server_services: