commit 188c5074604f6fbf94df8c5f28604996ccd576c1
author Oleksandr Shyshko <oshyshko@mirantis.com> Thu Aug 30 17:23:24 2018 +0300
committer Oleksandr Shyshko <oshyshko@mirantis.com> Thu Sep 06 19:14:44 2018 +0300
tree 78d95fe78cdb8f2ce07777a6331ffc27236efb1d
parent 2963cf1f3bd95155944ecbdf419d448f837a3a76

Implement X.509 auth for MySQL and Heat

Change-Id: I788032408d6608ede0a83324adbb2c6b3cef9f06
Related-PROD: PROD-22736

heat/_ssl/mysql.sls

diff --git a/heat/_ssl/mysql.sls b/heat/_ssl/mysql.sls
index b38e7cb..a5730fb 100644
--- a/heat/_ssl/mysql.sls
+++ b/heat/_ssl/mysql.sls
@@ -1,5 +1,9 @@
 {%- from "heat/map.jinja" import server with context %}
 
+heat_ssl_mysql:
+  test.show_notification:
+    - text: "Running heat._ssl.mysql"
+
 {%- if server.database.get('x509',{}).get('enabled',False) %}
 
   {%- set ca_file=server.database.x509.ca_file %}
@@ -12,6 +16,8 @@
     - name: {{ ca_file }}
     - contents_pillar: heat:server:database:x509:cacert
     - mode: 444
+    - user: heat
+    - group: heat
     - makedirs: true
   {%- else %}
   file.exists:
@@ -24,6 +30,8 @@
     - name: {{ cert_file }}
     - contents_pillar: heat:server:database:x509:cert
     - mode: 440
+    - user: heat
+    - group: heat
     - makedirs: true
   {%- else %}
   file.exists:
@@ -36,12 +44,23 @@
     - name: {{ key_file }}
     - contents_pillar: heat:server:database:x509:key
     - mode: 400
+    - user: heat
+    - group: heat
     - makedirs: true
   {%- else %}
   file.exists:
     - name: {{ key_file }}
   {%- endif %}
 
+mysql_heat_ssl_x509_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: heat
+    - group: heat
+
 {% elif server.database.get('ssl',{}).get('enabled',False) %}
 mysql_ca_heat:
   {%- if server.database.ssl.cacert is defined %}

heat/server.sls

diff --git a/heat/server.sls b/heat/server.sls
index 0412c53..d169e9f 100644
--- a/heat/server.sls
+++ b/heat/server.sls
@@ -2,13 +2,9 @@
 
 {%- if server.enabled %}
 
-{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
-
 include:
   - heat.db.offline_sync
-  {%- if mysql_x509_ssl_enabled %}
   - heat._ssl.mysql
-  {%- endif %}
 
 heat_server_packages:
   pkg.installed:
@@ -24,6 +20,7 @@
   - group: heat
   - require:
     - pkg: heat_server_packages
+    - sls: heat._ssl.mysql
   - require_in:
     - sls: heat.db.offline_sync
 
@@ -164,7 +161,7 @@
   - require:
     - file: /etc/heat/heat.conf
     - pkg: heat_server_packages
-  - require:
+    - sls: heat._ssl.mysql
     - sls: heat.db.offline_sync
 
 {%- endif %}
@@ -192,9 +189,7 @@
   {%- endif %}
   - require:
     - sls: heat.db.offline_sync
-    {%- if mysql_x509_ssl_enabled %}
     - sls: heat._ssl.mysql
-    {%- endif %}
   - watch:
     - file: /etc/heat/heat.conf
     - file: /etc/heat/api-paste.ini