Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / gnocchi / 0cb9d459d88dafcfdc0e5d24d854de34f4bf268d^! / .
commit0cb9d459d88dafcfdc0e5d24d854de34f4bf268d[log] [tgz]
authorOleksandr Shyshko <oshyshko@mirantis.com>Tue Sep 11 17:27:20 2018 +0300
committeroshyshko <oshyshko@mirantis.com>Thu Sep 13 09:17:34 2018 +0000
tree396c6c533d594824446d5d032d87abda311ac982
parent6268d99cf69996b16435da2361f0732b6b5e214b [diff]
Implement X.509 auth for MySQL and Gnocchi

Change-Id: Icad89455b796d5c5546758b403ea9a6dacc2333f
Related-PROD: PROD-22746

diff --git a/README.rst b/README.rst
index 4d06135..0549f84 100644
--- a/README.rst
+++ b/README.rst

@@ -290,6 +290,28 @@
       log_dir: /var/log/gnocchi
       log_file: gnocchi.log
 
+Enable x509 and ssl communication between Gnocchi and Galera cluster.
+---------------------
+By default communication between Gnocchi and Galera is unsecure.
+
+gnocchi:
+  common:
+    database:
+      x509:
+        enabled: True
+
+You able to set custom certificates in pillar:
+
+gnocchi:
+  common:
+    database:
+      x509:
+        cacert: (certificate content)
+        cert: (certificate content)
+        key: (certificate content)
+
+You can read more about it here:
+    https://docs.openstack.org/security-guide/databases/database-access-control.html
 
 More Information
 ================

diff --git a/gnocchi/_common.sls b/gnocchi/_common.sls
index e9477b3..e8413e3 100644
--- a/gnocchi/_common.sls
+++ b/gnocchi/_common.sls

@@ -1,8 +1,13 @@
 {%- from "gnocchi/map.jinja" import cfg with context %}
 
+include:
+  - gnocchi._ssl.mysql
+
 gnocchi_common.pkgs:
   pkg.installed:
     - name: 'gnocchi-common'
+    - require_in:
+      - sls: gnocchi._ssl.mysql
 
 gnocchi_common_conf:
   file.managed:
@@ -11,17 +16,4 @@
   - template: jinja
   - require:
     - pkg: gnocchi_common.pkgs
-
-{%- if cfg.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_gnocchi_file:
-{%- if cfg.database.ssl.cacert is defined %}
-  file.managed:
-    - name: {{ cfg.databse.ssl.cacert_file }}
-    - contents_pillar: cfg.database:ssl:cacert
-    - mode: 0444
-    - makedirs: true
-{%- else %}
-  file.exists:
-   - name: {{ cfg.database.ssl.get('cacert_file', cfg.cacert_file) }}
-{%- endif %}
-{%- endif %}
\ No newline at end of file
+    - sls: gnocchi._ssl.mysql

diff --git a/gnocchi/_ssl/mysql.sls b/gnocchi/_ssl/mysql.sls
new file mode 100644
index 0000000..dd82806
--- /dev/null
+++ b/gnocchi/_ssl/mysql.sls

@@ -0,0 +1,77 @@
+{% from "gnocchi/map.jinja" import cfg with context %}
+
+gnocchi_ssl_mysql:
+  test.show_notification:
+    - text: "Running gnocchi._ssl.mysql"
+
+{%- if cfg.database.get('x509',{}).get('enabled',False) %}
+
+  {%- set ca_file=cfg.database.x509.ca_file %}
+  {%- set key_file=cfg.database.x509.key_file %}
+  {%- set cert_file=cfg.database.x509.cert_file %}
+
+mysql_gnocchi_ssl_x509_ca:
+  {%- if cfg.database.x509.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: cfg.database:x509:cacert
+    - mode: 444
+    - user: gnocchi
+    - group: gnocchi
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ ca_file }}
+  {%- endif %}
+
+mysql_gnocchi_client_ssl_cert:
+  {%- if cfg.database.x509.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: cfg.database:x509:cert
+    - mode: 440
+    - user: gnocchi
+    - group: gnocchi
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ cert_file }}
+  {%- endif %}
+
+mysql_gnocchi_client_ssl_private_key:
+  {%- if cfg.database.x509.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: cfg.database:x509:key
+    - mode: 400
+    - user: gnocchi
+    - group: gnocchi
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ key_file }}
+  {%- endif %}
+
+mysql_gnocchi_ssl_x509_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: gnocchi
+    - group: gnocchi
+
+  {% elif cfg.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_gnocchi_file:
+  {%- if cfg.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ cfg.database.ssl.cacert_file }}
+    - contents_pillar: cfg.database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ cfg.database.ssl.get('cacert_file', cfg.cacert_file) }}
+  {%- endif %}
+
+{%- endif %}

diff --git a/gnocchi/files/4.0/gnocchi.conf b/gnocchi/files/4.0/gnocchi.conf
index 0f08a08..d23766b 100644
--- a/gnocchi/files/4.0/gnocchi.conf
+++ b/gnocchi/files/4.0/gnocchi.conf

@@ -1,5 +1,14 @@
-{% from "gnocchi/map.jinja" import cfg,server,statsd with context %}
-{% set storage = cfg.get('storage', {}) %}
+{%- from "gnocchi/map.jinja" import cfg,server,statsd with context %}
+{%- set storage = cfg.get('storage', {}) %}
+{%- set _database = cfg.database %}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if _database.get('x509',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ _database.x509.ca_file ~ '&ssl_cert=' ~ _database.x509.cert_file ~ '&ssl_key=' ~ _database.x509.key_file %}
+{%- elif _database.get('ssl',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ _database.ssl.cacert_file %}
+{%- endif %}
+
 [DEFAULT]
 
 debug = {{ cfg.debug }}
@@ -34,7 +43,7 @@
 
 [indexer]
 
-url = {{ cfg.database.engine }}+pymysql://{{ cfg.database.user }}:{{ cfg.database.password }}@{{ cfg.database.host }}/{{ cfg.database.name }}{%- if cfg.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ cfg.database.ssl.get('cacert_file', cfg.cacert_file) }}{% endif %}
+url = {{ cfg.database.engine }}+pymysql://{{ cfg.database.user }}:{{ cfg.database.password }}@{{ cfg.database.host }}/{{ cfg.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
 
 
 [keystone_authtoken]

diff --git a/gnocchi/files/4.2/gnocchi.conf b/gnocchi/files/4.2/gnocchi.conf
index d7d5a16..00d4208 100644
--- a/gnocchi/files/4.2/gnocchi.conf
+++ b/gnocchi/files/4.2/gnocchi.conf

@@ -1,5 +1,14 @@
-{% from "gnocchi/map.jinja" import cfg,server,statsd with context %}
-{% set storage = cfg.get('storage', {}) %}
+{%- from "gnocchi/map.jinja" import cfg,server,statsd with context %}
+{%- set storage = cfg.get('storage', {}) %}
+{%- set _database = cfg.database %}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if _database.get('x509',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ _database.x509.ca_file ~ '&ssl_cert=' ~ _database.x509.cert_file ~ '&ssl_key=' ~ _database.x509.key_file %}
+{%- elif _database.get('ssl',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ _database.ssl.cacert_file %}
+{%- endif %}
+
 [DEFAULT]
 
 #
@@ -163,7 +172,7 @@
 
 # Indexer driver to use (string value)
 #url = <None>
-url = {{ cfg.database.engine }}+pymysql://{{ cfg.database.user }}:{{ cfg.database.password }}@{{ cfg.database.host }}/{{ cfg.database.name }}{%- if cfg.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ cfg.database.ssl.get('cacert_file', cfg.cacert_file) }}{% endif %}
+url = {{ cfg.database.engine }}+pymysql://{{ cfg.database.user }}:{{ cfg.database.password }}@{{ cfg.database.host }}/{{ cfg.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
 
 
 {%- if server.identity.engine == 'keystone' %}

diff --git a/gnocchi/server.sls b/gnocchi/server.sls
index c506c46..a8cb5f9 100644
--- a/gnocchi/server.sls
+++ b/gnocchi/server.sls

@@ -47,10 +47,8 @@
   {%- endif %}
   - require:
     - cmd: gnocchi_upgrade
+    - sls: gnocchi._common
   - watch:
     - gnocchi_common_conf
-{%- if cfg.database.get('ssl',{}).get('enabled', False) %}
-    - mysql_ca_gnocchi_file
-{%- endif %}
 
 {%- endif %}

diff --git a/gnocchi/statsd.sls b/gnocchi/statsd.sls
index 43ca50a..5af64e9 100644
--- a/gnocchi/statsd.sls
+++ b/gnocchi/statsd.sls

@@ -17,11 +17,8 @@
   {%- endif %}
   - require:
     - pkg: gnocchi_statsd_packages
+    - sls: gnocchi._common
   - watch:
     - gnocchi_common_conf
-{%- if cfg.database.get('ssl',{}).get('enabled', False) %}
-    - mysql_ca_gnocchi_file
-{%- endif %}
-
 
 {%- endif %}