Implement X.509 auth for MySQL and Panko
Related-PROD: PROD-22752
Change-Id: Ie81921548f67b0a6155d3101ee59eed845e95a58
diff --git a/README.rst b/README.rst
index 1cceabc..f1b324d 100644
--- a/README.rst
+++ b/README.rst
@@ -94,6 +94,28 @@
fluentd:
enabled: true
+Enable x509 and ssl communication between Panko and Galera cluster.
+---------------------
+By default communication between Panko and Galera is unsecure.
+
+panko:
+ server:
+ database:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+panko:
+ server:
+ database:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
More information
================
diff --git a/panko/_ssl/mysql.sls b/panko/_ssl/mysql.sls
new file mode 100644
index 0000000..7eeae11
--- /dev/null
+++ b/panko/_ssl/mysql.sls
@@ -0,0 +1,77 @@
+{%- from "panko/map.jinja" import server with context %}
+
+panko_ssl_mysql:
+ test.show_notification:
+ - text: "Running panko._ssl.mysql"
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_panko_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: panko:server:database:x509:cacert
+ - mode: 444
+ - user: panko
+ - group: panko
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_panko_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: panko:server:database:x509:cert
+ - mode: 440
+ - user: panko
+ - group: panko
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_panko_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: panko:server:database:x509:key
+ - mode: 400
+ - user: panko
+ - group: panko
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_panko_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: panko
+ - group: panko
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_panko:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: panko:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/panko/files/pike/panko.conf.Debian b/panko/files/pike/panko.conf.Debian
index ad4300a..4cebd7a 100644
--- a/panko/files/pike/panko.conf.Debian
+++ b/panko/files/pike/panko.conf.Debian
@@ -1,4 +1,12 @@
{%- from "panko/map.jinja" import server with context -%}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
#
@@ -180,7 +188,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled', False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/panko/server.sls b/panko/server.sls
index f1be8d2..bddebe1 100644
--- a/panko/server.sls
+++ b/panko/server.sls
@@ -1,18 +1,23 @@
{%- from "panko/map.jinja" import server with context %}
+
{%- if server.get('enabled', False) %}
include:
-- apache
+ - apache
+ - panko._ssl.mysql
panko_server_packages:
pkg.installed:
- names: {{ server.pkgs }}
+ - require_in:
+ - sls: panko._ssl.mysql
/etc/panko/panko.conf:
file.managed:
- source: salt://panko/files/{{ server.version }}/panko.conf.{{ grains.os_family }}
- template: jinja
- require:
+ - sls: panko._ssl.mysql
- pkg: panko_server_packages
{% if server.logging.log_appender %}
@@ -122,5 +127,7 @@
- watch:
- file: /etc/panko/panko.conf
- apache_enable_panko_wsgi
+ - require:
+ - sls: panko._ssl.mysql
{%- endif %}
\ No newline at end of file