Implement X.509 auth for MySQL and Manila
Related-PROD: PROD-22749
Change-Id: Ib6728636743e59ec63138ac26aab5afb7fcc5694
diff --git a/README.rst b/README.rst
index f7fcf2d..2fa486c 100644
--- a/README.rst
+++ b/README.rst
@@ -137,6 +137,29 @@
fluentd:
enabled: true
+Enable x509 and ssl communication between Manila and Galera cluster.
+---------------------
+By default communication between Manila and Galera is unsecure.
+
+manila:
+ common:
+ database:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+manila:
+ common:
+ database:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
More information
================
diff --git a/manila/_common.sls b/manila/_common.sls
index 5af5791..49b6f30 100644
--- a/manila/_common.sls
+++ b/manila/_common.sls
@@ -1,9 +1,14 @@
{%- from "manila/map.jinja" import cfg with context %}
+include:
+ - manila._ssl.mysql
+
manila_common.pkgs:
pkg.installed:
- name: 'manila-common'
- install_recommends: False
+ - require_in:
+ - sls: manila._ssl.mysql
/etc/manila/manila.conf:
file.managed:
@@ -11,6 +16,7 @@
- template: jinja
- require:
- pkg: manila_common.pkgs
+ - sls: manila._ssl.mysql
{%- if cfg.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca_manila_file:
@@ -25,17 +31,3 @@
- name: {{ cfg.message_queue.ssl.get('cacert_file', cfg.cacert_file) }}
{%- endif %}
{%- endif %}
-
-{%- if cfg.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_manila_file:
-{%- if cfg.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ cfg.databse.ssl.cacert_file }}
- - contents_pillar: cfg.database:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ cfg.database.ssl.get('cacert_file', cfg.cacert_file) }}
-{%- endif %}
-{%- endif %}
diff --git a/manila/_ssl/mysql.sls b/manila/_ssl/mysql.sls
new file mode 100644
index 0000000..4b4f1cb
--- /dev/null
+++ b/manila/_ssl/mysql.sls
@@ -0,0 +1,77 @@
+{% from "manila/map.jinja" import cfg with context %}
+
+manila_ssl_mysql:
+ test.show_notification:
+ - text: "Running manila._ssl.mysql"
+
+{%- if cfg.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=cfg.database.x509.ca_file %}
+ {%- set key_file=cfg.database.x509.key_file %}
+ {%- set cert_file=cfg.database.x509.cert_file %}
+
+mysql_manila_ssl_x509_ca:
+ {%- if cfg.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: cfg.database:x509:cacert
+ - mode: 444
+ - user: manila
+ - group: manila
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_manila_client_ssl_cert:
+ {%- if cfg.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: cfg.database:x509:cert
+ - mode: 440
+ - user: manila
+ - group: manila
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_manila_client_ssl_private_key:
+ {%- if cfg.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: cfg.database:x509:key
+ - mode: 400
+ - user: manila
+ - group: manila
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_manila_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: manila
+ - group: manila
+
+ {% elif cfg.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_manila_file:
+ {%- if cfg.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ cfg.database.ssl.cacert_file }}
+ - contents_pillar: cfg.database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cfg.database.ssl.get('cacert_file', cfg.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/manila/files/pike/_database.conf b/manila/files/pike/_database.conf
index 184d3df..3fdfede 100644
--- a/manila/files/pike/_database.conf
+++ b/manila/files/pike/_database.conf
@@ -1 +1,8 @@
-connection = {{ _database.engine }}+pymysql://{{ _database.user }}:{{ _database.password }}@{{ _database.host }}/{{ _database.name }}?charset=utf8{%- if _database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ _database.ssl.cacert_file }}{% endif %}
+{%- set connection_x509_ssl_option = '' %}
+{%- if _database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ _database.x509.ca_file ~ '&ssl_cert=' ~ _database.x509.cert_file ~ '&ssl_key=' ~ _database.x509.key_file %}
+{%- elif _database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ _database.ssl.cacert_file %}
+{%- endif %}
+
+connection = {{ _database.engine }}+pymysql://{{ _database.user }}:{{ _database.password }}@{{ _database.host }}/{{ _database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
\ No newline at end of file