From b5167261acf0d277b42f132013650f85e422336e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Suchomel?= Date: Wed, 20 Sep 2017 12:39:20 +0200 Subject: [PATCH] all: Require SSL connection to database if MariaDB SSL is configured With this settings, non-SSL access is forbidden for the affected users. --- chef/cookbooks/aodh/recipes/aodh.rb | 1 + chef/cookbooks/barbican/recipes/common.rb | 1 + chef/cookbooks/ceilometer/recipes/server.rb | 1 + chef/cookbooks/cinder/recipes/sql.rb | 1 + chef/cookbooks/ec2-api/recipes/ec2api.rb | 1 + chef/cookbooks/glance/recipes/common.rb | 1 + chef/cookbooks/heat/recipes/server.rb | 1 + chef/cookbooks/horizon/recipes/server.rb | 1 + chef/cookbooks/ironic/recipes/server.rb | 1 + chef/cookbooks/magnum/recipes/sql.rb | 1 + chef/cookbooks/manila/recipes/sql.rb | 1 + chef/cookbooks/mysql/recipes/server.rb | 1 + chef/cookbooks/neutron/recipes/database.rb | 1 + chef/cookbooks/nova/recipes/database.rb | 2 ++ chef/cookbooks/sahara/recipes/sql.rb | 1 + chef/cookbooks/trove/recipes/sql.rb | 1 + 16 files changed, 17 insertions(+) diff --git a/chef/cookbooks/aodh/recipes/aodh.rb b/chef/cookbooks/aodh/recipes/aodh.rb index ddba634df5..64360d8225 100644 --- a/chef/cookbooks/aodh/recipes/aodh.rb +++ b/chef/cookbooks/aodh/recipes/aodh.rb @@ -40,6 +40,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/barbican/recipes/common.rb b/chef/cookbooks/barbican/recipes/common.rb index 26c05ad9c6..54d8fec3fc 100644 --- a/chef/cookbooks/barbican/recipes/common.rb +++ b/chef/cookbooks/barbican/recipes/common.rb @@ -62,6 +62,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/ceilometer/recipes/server.rb b/chef/cookbooks/ceilometer/recipes/server.rb index 0dac97d30f..07660a5752 100644 --- a/chef/cookbooks/ceilometer/recipes/server.rb +++ b/chef/cookbooks/ceilometer/recipes/server.rb @@ -95,6 +95,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/cinder/recipes/sql.rb b/chef/cookbooks/cinder/recipes/sql.rb index 99cb75eaed..341f3f6102 100644 --- a/chef/cookbooks/cinder/recipes/sql.rb +++ b/chef/cookbooks/cinder/recipes/sql.rb @@ -56,6 +56,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/ec2-api/recipes/ec2api.rb b/chef/cookbooks/ec2-api/recipes/ec2api.rb index d0f306f48f..39f6225010 100644 --- a/chef/cookbooks/ec2-api/recipes/ec2api.rb +++ b/chef/cookbooks/ec2-api/recipes/ec2api.rb @@ -79,6 +79,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/glance/recipes/common.rb b/chef/cookbooks/glance/recipes/common.rb index 98f5a20a34..ba811a2da4 100644 --- a/chef/cookbooks/glance/recipes/common.rb +++ b/chef/cookbooks/glance/recipes/common.rb @@ -58,6 +58,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/heat/recipes/server.rb b/chef/cookbooks/heat/recipes/server.rb index decde83e31..7ef4814fd0 100644 --- a/chef/cookbooks/heat/recipes/server.rb +++ b/chef/cookbooks/heat/recipes/server.rb @@ -51,6 +51,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb index bab042e220..766e06f6ab 100644 --- a/chef/cookbooks/horizon/recipes/server.rb +++ b/chef/cookbooks/horizon/recipes/server.rb @@ -322,6 +322,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/ironic/recipes/server.rb b/chef/cookbooks/ironic/recipes/server.rb index 3edb90e876..306de66b1c 100644 --- a/chef/cookbooks/ironic/recipes/server.rb +++ b/chef/cookbooks/ironic/recipes/server.rb @@ -45,6 +45,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant end diff --git a/chef/cookbooks/magnum/recipes/sql.rb b/chef/cookbooks/magnum/recipes/sql.rb index bd1be1b2f3..80cfb26422 100644 --- a/chef/cookbooks/magnum/recipes/sql.rb +++ b/chef/cookbooks/magnum/recipes/sql.rb @@ -54,6 +54,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || is_cluster_founder } end diff --git a/chef/cookbooks/manila/recipes/sql.rb b/chef/cookbooks/manila/recipes/sql.rb index cf702928e2..69c6c5a96e 100644 --- a/chef/cookbooks/manila/recipes/sql.rb +++ b/chef/cookbooks/manila/recipes/sql.rb @@ -36,6 +36,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/mysql/recipes/server.rb b/chef/cookbooks/mysql/recipes/server.rb index 86c15f660c..0bda7c90dc 100644 --- a/chef/cookbooks/mysql/recipes/server.rb +++ b/chef/cookbooks/mysql/recipes/server.rb @@ -183,6 +183,7 @@ "TRIGGER" ] provider db_settings[:user_provider] + require_ssl db_connection[:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/neutron/recipes/database.rb b/chef/cookbooks/neutron/recipes/database.rb index e28ed5e460..5e3392625d 100644 --- a/chef/cookbooks/neutron/recipes/database.rb +++ b/chef/cookbooks/neutron/recipes/database.rb @@ -63,6 +63,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/nova/recipes/database.rb b/chef/cookbooks/nova/recipes/database.rb index 6a57a38b7e..9b0f67de32 100644 --- a/chef/cookbooks/nova/recipes/database.rb +++ b/chef/cookbooks/nova/recipes/database.rb @@ -58,6 +58,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end @@ -81,6 +82,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/sahara/recipes/sql.rb b/chef/cookbooks/sahara/recipes/sql.rb index 765be94d51..fd5ed56e69 100644 --- a/chef/cookbooks/sahara/recipes/sql.rb +++ b/chef/cookbooks/sahara/recipes/sql.rb @@ -52,6 +52,7 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } end diff --git a/chef/cookbooks/trove/recipes/sql.rb b/chef/cookbooks/trove/recipes/sql.rb index e9c528dc48..efb6bdf1b2 100644 --- a/chef/cookbooks/trove/recipes/sql.rb +++ b/chef/cookbooks/trove/recipes/sql.rb @@ -47,5 +47,6 @@ host "%" privileges db_settings[:privs] provider db_settings[:user_provider] + require_ssl db_settings[:connection][:ssl][:enabled] action :grant end