Added support X.509 auth between MySQL and Cinder
Related-PROD: PROD-22519
Change-Id: I8bd2cc6f6180e0e58a66c6c23ee49977173f9d7d
diff --git a/README.rst b/README.rst
index 78293f9..555ef91 100644
--- a/README.rst
+++ b/README.rst
@@ -762,8 +762,40 @@
ossyslog:
enabled: true
-**Documentation and bugs**
+Enable x509 and ssl communication between Cinder and Galera cluster.
+---------------------
+By default communication between Cinder and Galera is unsecure.
+You able to set custom certificates in pillar:
+controller:
+ database:
+ x509:
+ enabled: True
+
+volume:
+ database:
+ x509:
+ enabled: True
+
+cinder:
+ controller:
+ database:
+ x509:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+ volume:
+ database:
+ x509:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
+**Documentation and bugs**
+======================
* http://salt-formulas.readthedocs.io/
Learn how to install and update salt-formulas
diff --git a/cinder/_ssl/controller-mysql.sls b/cinder/_ssl/controller-mysql.sls
new file mode 100644
index 0000000..9a542e8
--- /dev/null
+++ b/cinder/_ssl/controller-mysql.sls
@@ -0,0 +1,77 @@
+{% from "cinder/map.jinja" import controller with context %}
+
+cinder_controller_ssl_mysql:
+ test.show_notification:
+ - text: "Running cinder._ssl.controller-mysql"
+
+{%- if controller.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=controller.database.x509.ca_file %}
+ {%- set key_file=controller.database.x509.key_file %}
+ {%- set cert_file=controller.database.x509.cert_file %}
+
+mysql_cinder_controller_ssl_x509_ca:
+ {%- if controller.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: cinder:controller:database:x509:cacert
+ - mode: 444
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_cinder_controller_client_ssl_cert:
+ {%- if controller.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: cinder:controller:database:x509:cert
+ - mode: 440
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_cinder_controller_client_ssl_private_key:
+ {%- if controller.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: cinder:controller:database:x509:key
+ - mode: 400
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_cinder_controller_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: cinder
+ - group: cinder
+
+{% elif controller.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_cinder_controller:
+ {%- if controller.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ controller.database.ssl.cacert_file }}
+ - contents_pillar: cinder:controller:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/cinder/_ssl/volume-mysql.sls b/cinder/_ssl/volume-mysql.sls
new file mode 100644
index 0000000..3038217
--- /dev/null
+++ b/cinder/_ssl/volume-mysql.sls
@@ -0,0 +1,77 @@
+{% from "cinder/map.jinja" import volume with context %}
+
+cinder_volume_ssl_mysql:
+ test.show_notification:
+ - text: "Running cinder._ssl.volume-mysql"
+
+{%- if volume.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=volume.database.x509.ca_file %}
+ {%- set key_file=volume.database.x509.key_file %}
+ {%- set cert_file=volume.database.x509.cert_file %}
+
+mysql_cinder_volume_ssl_x509_ca:
+ {%- if volume.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: cinder:volume:database:x509:cacert
+ - mode: 444
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_cinder_volume_client_ssl_cert:
+ {%- if volume.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: cinder:volume:database:x509:cert
+ - mode: 440
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_cinder_volume_client_ssl_private_key:
+ {%- if volume.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: cinder:volume:database:x509:key
+ - mode: 400
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_cinder_volume_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: cinder
+ - group: cinder
+
+{% elif volume.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_cinder_volume:
+ {%- if volume.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ volume.database.ssl.cacert_file }}
+ - contents_pillar: cinder:volume:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/cinder/controller.sls b/cinder/controller.sls
index eefae34..2492a43 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -1,11 +1,13 @@
{%- from "cinder/map.jinja" import controller with context %}
+
{%- if controller.get('enabled', False) %}
include:
{%- if controller.version not in ['mitaka','newton'] %}
- - apache
+ - apache
{%- endif %}
- - cinder.db.offline_sync
+ - cinder.db.offline_sync
+ - cinder._ssl.controller-mysql
{%- set user = controller %}
{%- include "cinder/user.sls" %}
@@ -29,6 +31,7 @@
- group: cinder
- require:
- pkg: cinder_controller_packages
+ - sls: cinder._ssl.controller-mysql
- require_in:
- sls: cinder.db.offline_sync
@@ -40,6 +43,7 @@
- group: cinder
- require:
- pkg: cinder_controller_packages
+ - sls: cinder._ssl.controller-mysql
- require_in:
- sls: cinder.db.offline_sync
@@ -95,6 +99,7 @@
_data: {{ controller.logging }}
- require:
- pkg: cinder_controller_packages
+ - sls: cinder._ssl.controller-mysql
- require_in:
- sls: cinder.db.offline_sync
{%- if controller.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
@@ -223,13 +228,11 @@
- pkg: cinder_controller_packages
- service: cinder_api_service_dead
- sls: cinder.db.offline_sync
+ - sls: cinder._ssl.controller-mysql
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
{%- endif %}
- {%- if controller.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_cinder_controller
- {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
- cinder_apache_conf_file
@@ -247,13 +250,11 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder.db.offline_sync
+ - sls: cinder._ssl.controller-mysql
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
{%- endif %}
- {%- if controller.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_cinder_controller
- {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -281,13 +282,11 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder.db.offline_sync
+ - sls: cinder._ssl.controller-mysql
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
{%- endif %}
- {%- if controller.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_cinder_controller
- {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -407,19 +406,4 @@
{%- endif %}
{%- endif %}
-{%- if controller.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_cinder_controller:
-{%- if controller.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ controller.database.ssl.cacert_file }}
- - contents_pillar: cinder:controller:database:ssl:cacert
- - mode: 0444
- - makedirs: true
-
-{%- else %}
- file.exists:
- - name: {{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}
-{%- endif %}
-{%- endif %}
-
{%- endif %}
diff --git a/cinder/files/pike/cinder.conf.controller.Debian b/cinder/files/pike/cinder.conf.controller.Debian
index 528c2a3..4a5ead5 100644
--- a/cinder/files/pike/cinder.conf.controller.Debian
+++ b/cinder/files/pike/cinder.conf.controller.Debian
@@ -1,5 +1,12 @@
{%- from "cinder/map.jinja" import controller with context %}
+{%- set connection_x509_ssl_option = '' %}
+{%- if controller.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ controller.database.x509.ca_file ~ '&ssl_cert=' ~ controller.database.x509.cert_file ~ '&ssl_key=' ~ controller.database.x509.key_file %}
+{%- elif controller.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ controller.database.ssl.get('cacert_file', controller.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
api_paste_confg = /etc/cinder/api-paste.ini
@@ -203,7 +210,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
{%- if controller.backend is defined %}
diff --git a/cinder/files/pike/cinder.conf.volume.Debian b/cinder/files/pike/cinder.conf.volume.Debian
index c4dee4e..c88948b 100644
--- a/cinder/files/pike/cinder.conf.volume.Debian
+++ b/cinder/files/pike/cinder.conf.volume.Debian
@@ -1,5 +1,12 @@
{%- from "cinder/map.jinja" import volume with context %}
+{%- set connection_x509_ssl_option = '' %}
+{%- if volume.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ volume.database.x509.ca_file ~ '&ssl_cert=' ~ volume.database.x509.cert_file ~ '&ssl_key=' ~ volume.database.x509.key_file %}
+{%- elif volume.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ volume.database.ssl.get('cacert_file', volume.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
rootwrap_config = /etc/cinder/rootwrap.conf
api_paste_confg = /etc/cinder/api-paste.ini
@@ -189,7 +196,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}{% endif %}
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
{%- if volume.backend is defined %}
diff --git a/cinder/volume.sls b/cinder/volume.sls
index 396b03e..080466f 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -1,6 +1,10 @@
{%- from "cinder/map.jinja" import volume with context %}
+
{%- if volume.enabled %}
+include:
+ - cinder._ssl.volume-mysql
+
{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
{%- set user = volume %}
{%- include "cinder/user.sls" %}
@@ -34,20 +38,6 @@
{%- endif %}
{%- endif %}
-{%- if volume.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_cinder_volume:
-{%- if volume.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ volume.database.ssl.cacert_file }}
- - contents_pillar: cinder:volume:database:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ volume.database.ssl.get('cacert_file', volume.cacert_file) }}
-{%- endif %}
-{%- endif %}
-
{%- set cinder_log_services = volume.services %}
{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
@@ -60,6 +50,7 @@
- user: root
- group: cinder
- require:
+ - sls: cinder._ssl.volume-mysql
- pkg: cinder_volume_packages
/etc/cinder/api-paste.ini:
@@ -88,13 +79,12 @@
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
+ - require:
+ - sls: cinder._ssl.volume-mysql
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_volume
{%- endif %}
- {%- if volume.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_cinder_volume
- {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -168,13 +158,12 @@
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
+ - require:
+ - sls: cinder._ssl.volume-mysql
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_volume
{%- endif %}
- {%- if volume.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_cinder_volume
- {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini