Improve MySQL Galera password handling - use dedicated not root credentials
Prod related PROD-23926 (PROD:23926)
Change-Id: I1c09b54e22ac274336597fff6582a5b997f13ea4
diff --git a/README.rst b/README.rst
index 788e908..3e44619 100644
--- a/README.rst
+++ b/README.rst
@@ -33,6 +33,9 @@
admin:
user: root
password: pass
+ sst:
+ user: sstuser
+ password: sstpassword
database:
name:
encoding: 'utf8'
@@ -62,6 +65,10 @@
admin:
user: root
password: pass
+ sst:
+ user: sstuser
+ password: sstpassword
+
Enable TLS support:
diff --git a/galera/files/my.cnf b/galera/files/my.cnf
index 65d67f7..9700854 100644
--- a/galera/files/my.cnf
+++ b/galera/files/my.cnf
@@ -72,7 +72,7 @@
wsrep_slave_threads={{ service.wsrep_slave_threads if service.wsrep_slave_threads != 0 else threads_default }}
wsrep_sst_method=xtrabackup-v2
-wsrep_sst_auth={{ service.admin.user }}:{{ service.admin.password }}
+wsrep_sst_auth={{ service.sst.get('user', service.admin.user) }}:{{ service.sst.get('password', service.admin.password) }}
wsrep_node_address={{ service.bind.address }}
wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
diff --git a/galera/files/my.cnf.container b/galera/files/my.cnf.container
index 2c5f7f1..d137a83 100644
--- a/galera/files/my.cnf.container
+++ b/galera/files/my.cnf.container
@@ -71,12 +71,12 @@
wsrep_drupal_282555_workaround=0
wsrep_causal_reads=0
wsrep_sst_method=xtrabackup
-wsrep_sst_auth={{ service.admin.user }}:{{ service.admin.password }}
+wsrep_sst_auth={{ service.sst.get('user', service.admin.user) }}:{{ service.sst.get('password', service.admin.password) }}
[MYSQL]
socket=/var/lib/mysql/mysql.sock
[xtrabackup]
parallel={{ service.get('xtrabackup_parallel', 4) }}
-user={{ service.admin.user }}
-password={{ service.admin.password }}
+user={{ service.sst.get('user', service.admin.user) }}
+password={{ service.sst.get('password', service.admin.password) }}
diff --git a/galera/files/my.cnf.init b/galera/files/my.cnf.init
index b05584a..23fd701 100644
--- a/galera/files/my.cnf.init
+++ b/galera/files/my.cnf.init
@@ -59,7 +59,7 @@
wsrep_slave_threads={{ service.get('wsrep_slave_threads', 8) }}
wsrep_sst_method=xtrabackup-v2
-wsrep_sst_auth={{ service.admin.user }}:{{ service.admin.password }}
+wsrep_sst_auth={{ service.sst.get('user', service.admin.user) }}:{{ service.sst.get('password', service.admin.password) }}
wsrep_node_address={{ service.bind.address }}
wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 38c23c4..e66c3ae 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -8,6 +8,8 @@
galera_server_bind_address: ${_param:cluster_local_address}
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_innodb_read_io_threads: 0
@@ -27,6 +29,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:cluster_node01_address}
port: 4567
@@ -51,3 +56,12 @@
host: '%'
- name: haproxy
host: ${_param:cluster_local_address}
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/metadata/service/master/container.yml b/metadata/service/master/container.yml
index f4957a6..9711b48 100644
--- a/metadata/service/master/container.yml
+++ b/metadata/service/master/container.yml
@@ -3,6 +3,8 @@
galera_server_cluster_name: galeracluster
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_innodb_read_io_threads: 8
@@ -29,6 +31,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:mysql_service_host01}
port: 4567
@@ -51,3 +56,12 @@
host: localhost
- name: haproxy
host: '%'
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 7ac04d9..fc5ca23 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -8,6 +8,8 @@
galera_server_bind_address: ${_param:single_address}
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_error_log_enabled: true
@@ -27,6 +29,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:single_address}
port: 4567
@@ -47,3 +52,12 @@
host: '%'
- name: haproxy
host: ${_param:single_address}
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/metadata/service/slave/cluster.yml b/metadata/service/slave/cluster.yml
index 92ee133..a4c7133 100644
--- a/metadata/service/slave/cluster.yml
+++ b/metadata/service/slave/cluster.yml
@@ -8,6 +8,8 @@
galera_server_bind_address: ${_param:cluster_local_address}
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_innodb_read_io_threads: 0
@@ -27,6 +29,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst_user:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:cluster_node01_address}
port: 4567
@@ -51,3 +56,12 @@
host: '%'
- name: haproxy
host: ${_param:cluster_local_address}
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index 66bd3ef..a3e5566 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls
@@ -147,6 +147,9 @@
admin:
user: root
password: password
+ sst:
+ user: sstuser
+ password: sstpassword
members:
- host: 127.0.0.1
port: 4567
@@ -212,3 +215,12 @@
grant_option: True
grants:
- all privileges
+ - name: sstuser
+ password: sstpassword
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index ec2dfee..909dbe9 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -9,6 +9,9 @@
admin:
user: root
password: password
+ sst:
+ user: sstuser
+ password: sstpassword
members:
- host: 127.0.0.1
port: 4567
@@ -45,3 +48,12 @@
grant_option: True
grants:
- all privileges
+ - name: sstuser
+ password: sstpassword
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/tests/pillar/slave_cluster.sls b/tests/pillar/slave_cluster.sls
index 390f09b..458f09a 100644
--- a/tests/pillar/slave_cluster.sls
+++ b/tests/pillar/slave_cluster.sls
@@ -147,6 +147,9 @@
admin:
user: root
password: password
+ sst:
+ user: sstuser
+ password: sstpassword
members:
- host: 127.0.0.1
port: 4567
@@ -182,3 +185,12 @@
password: password
database: '*.*'
grants: PROCESS
+ - name: sstuser
+ password: sstpassword
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT