commit 553deba43b4651a6cb6037e5c347cc31b582a0ea
author Oleksandr Shyshko <oshyshko@mirantis.com> Thu Sep 06 19:03:55 2018 +0300
committer Oleksandr Shyshko <oshyshko@mirantis.com> Thu Sep 06 19:05:02 2018 +0300
tree f5dc494427c3c1550c7007732b617896f3938f54
parent acb9c0b2c8eedab281131e4ca693e7bb41ec6713

[REFACTOR] Implement X.509 auth for MySQL and Glance

Related-PROD: PROD-22745

Change-Id: I31f37af73940763408539e93afa8bfaf50ccaa47

glance/_ssl/mysql.sls

diff --git a/glance/_ssl/mysql.sls b/glance/_ssl/mysql.sls
index ab26c46..16a4c7c 100644
--- a/glance/_ssl/mysql.sls
+++ b/glance/_ssl/mysql.sls
@@ -1,5 +1,9 @@
 {%- from "glance/map.jinja" import server with context %}
 
+glance_ssl_mysql:
+  test.show_notification:
+    - text: "Running glance._ssl.mysql"
+
 {%- if server.database.get('x509',{}).get('enabled',False) %}
 
   {%- set ca_file=server.database.x509.ca_file %}
@@ -12,6 +16,8 @@
     - name: {{ ca_file }}
     - contents_pillar: glance:server:database:x509:cacert
     - mode: 444
+    - user: glance
+    - group: glance
     - makedirs: true
   {%- else %}
   file.exists:
@@ -24,6 +30,8 @@
     - name: {{ cert_file }}
     - contents_pillar: glance:server:database:x509:cert
     - mode: 440
+    - user: glance
+    - group: glance
     - makedirs: true
   {%- else %}
   file.exists:
@@ -36,12 +44,23 @@
     - name: {{ key_file }}
     - contents_pillar: glance:server:database:x509:key
     - mode: 400
+    - user: glance
+    - group: glance
     - makedirs: true
   {%- else %}
   file.exists:
     - name: {{ key_file }}
   {%- endif %}
 
+mysql_glance_ssl_x509_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: glance
+    - group: glance
+
 {% elif server.database.get('ssl',{}).get('enabled',False) %}
 mysql_ca_glance:
   {%- if server.database.ssl.cacert is defined %}

glance/server.sls

diff --git a/glance/server.sls b/glance/server.sls
index 0456c62..214acff 100644
--- a/glance/server.sls
+++ b/glance/server.sls
@@ -2,13 +2,9 @@
 
 {%- if server.enabled %}
 
-{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
-
 include:
   - glance.db.offline_sync
-  {%- if mysql_x509_ssl_enabled %}
   - glance._ssl.mysql
-  {%- endif %}
 
 glance_packages:
   pkg.installed:
@@ -59,6 +55,7 @@
   - group: glance
   - require:
     - pkg: glance_packages
+    - sls: glance._ssl.mysql
   - require_in:
     - sls: glance.db.offline_sync
 
@@ -70,6 +67,7 @@
   - group: glance
   - require:
     - pkg: glance_packages
+    - sls: glance._ssl.mysql
   - require_in:
     - sls: glance.db.offline_sync
 
@@ -81,6 +79,7 @@
   - group: glance
   - require:
     - pkg: glance_packages
+    - sls: glance._ssl.mysql
   - require_in:
     - sls: glance.db.offline_sync
 
@@ -92,6 +91,7 @@
   - group: glance
   - require:
     - pkg: glance_packages
+    - sls: glance._ssl.mysql
   - require_in:
     - sls: glance.db.offline_sync
 
@@ -110,6 +110,7 @@
   - require:
     - pkg: glance_packages
     - pkg: glance_glare_package
+    - sls: glance._ssl.mysql
   - require_in:
     - sls: glance.db.offline_sync
 
@@ -122,6 +123,7 @@
   - require:
     - pkg: glance_packages
     - pkg: glance_glare_package
+    - sls: glance._ssl.mysql
   - require_in:
     - sls: glance.db.offline_sync
 
@@ -133,9 +135,7 @@
   - name: glance-glare
   - require:
     - sls: glance.db.offline_sync
-    {%- if mysql_x509_ssl_enabled %}
     - sls: glance._ssl.mysql
-    {%- endif %}
   - watch:
     - file: /etc/glance/glance-glare.conf
     {%- if server.message_queue.get('ssl',{}).get('enabled',False) %}
@@ -255,9 +255,7 @@
   - names: {{ server.services }}
   - require:
     - sls: glance.db.offline_sync
-    {%- if mysql_x509_ssl_enabled %}
     - sls: glance._ssl.mysql
-    {%- endif %}
   - watch:
     - file: /etc/glance/glance-api.conf
     - file: /etc/glance/glance-registry.conf