Implement X.509 auth for MySQL and Heat
Related-PROD: PROD-22736
Change-Id: Ie1b5741ee2b9ada88d9552d270630e76ca2f240c
diff --git a/README.rst b/README.rst
index 8817d0a..8ad30f3 100644
--- a/README.rst
+++ b/README.rst
@@ -249,6 +249,27 @@
ossyslog:
enabled: true
+Enable x509 and ssl communication between Heat and Galera cluster.
+---------------------
+By default communication between Heat and Galera is unsecure.
+
+You able to set custom certificates in pillar:
+server:
+ database:
+ x509:
+ enabled: True
+
+heat:
+ server:
+ database:
+ x509:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
Documentation and Bugs
======================
diff --git a/heat/_ssl/mysql.sls b/heat/_ssl/mysql.sls
new file mode 100644
index 0000000..b38e7cb
--- /dev/null
+++ b/heat/_ssl/mysql.sls
@@ -0,0 +1,58 @@
+{%- from "heat/map.jinja" import server with context %}
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_heat_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: heat:server:database:x509:cacert
+ - mode: 444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_heat_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: heat:server:database:x509:cert
+ - mode: 440
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_heat_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: heat:server:database:x509:key
+ - mode: 400
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_heat:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: heat:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/heat/files/pike/heat.conf.Debian b/heat/files/pike/heat.conf.Debian
index cec6af8..9b551ac 100644
--- a/heat/files/pike/heat.conf.Debian
+++ b/heat/files/pike/heat.conf.Debian
@@ -1,6 +1,13 @@
{%- from "heat/map.jinja" import server with context %}
-[DEFAULT]
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
#
# From heat.api.middleware.ssl
#
@@ -1211,7 +1218,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/heat/server.sls b/heat/server.sls
index 2caa2f4..53b4a7b 100644
--- a/heat/server.sls
+++ b/heat/server.sls
@@ -1,8 +1,14 @@
{%- from "heat/map.jinja" import server with context %}
+
{%- if server.enabled %}
+{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
+
include:
- heat.db.offline_sync
+ {%- if mysql_x509_ssl_enabled %}
+ - heat._ssl.mysql
+ {%- endif %}
heat_server_packages:
pkg.installed:
@@ -184,15 +190,15 @@
{%- endif %}
- require:
- sls: heat.db.offline_sync
+ {%- if mysql_x509_ssl_enabled %}
+ - sls: heat._ssl.mysql
+ {%- endif %}
- watch:
- file: /etc/heat/heat.conf
- file: /etc/heat/api-paste.ini
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_heat_server
{%- endif %}
- {%- if server.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_heat_server
- {%- endif %}
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca_heat_server:
@@ -208,20 +214,4 @@
{%- endif %}
{%- endif %}
-{%- if server.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_heat_server:
-{%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: heat:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
-{%- endif %}
- - require_in:
- - file: /etc/heat/heat.conf
-{%- endif %}
-
{%- endif %}