-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require SSL connection to database if MariaDB SSL is configured #1289
Conversation
8268b62
to
b516726
Compare
if new_resource.connection[:ssl][:insecure] | ||
client_options[:sslverify] = false | ||
else | ||
client_options[:sslca] = new_resource.connection[:ssl][:ca_certs] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you explicitly need to set client_options[:sslverify] = true
at least the mysqlclient docs mention that it is off by default. (I didn't try that though)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, true indeed
b516726
to
c14aca2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change itself looks good now. But we can't merge it before we have feedback on the ruby-mysql2 patch referenced above. Or we need to rework the code to disable ssl for the ruby part when certificate verification is not possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Though the comments from the previous review still apply.
9801d33
to
a806f8c
Compare
Rebased (no code change) |
a806f8c
to
3209d91
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be missing keystone at least.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be missing keystone at least.
3209d91
to
f1a9a17
Compare
Added |
@rhafer as your patch is currently living in build service, this PR could be merged actually. |
Current blocker is neutron behavior, see bug https://bugzilla.suse.com/show_bug.cgi?id=1060405 |
@jsuchome Would splitting the neutron part in a separate PR help unblocking this PR? |
@@ -63,6 +63,8 @@ | |||
host "%" | |||
privileges db_settings[:privs] | |||
provider db_settings[:user_provider] | |||
# FIXME: does not work now, see bsc#1060405 | |||
# require_ssl db_settings[:connection][:ssl][:enabled] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Layout/CommentIndentation: Incorrect indentation detected (column 0 instead of 4).
@@ -63,6 +63,8 @@ | |||
host "%" | |||
privileges db_settings[:privs] | |||
provider db_settings[:user_provider] | |||
# FIXME: does not work now, see bsc#1060405 | |||
# require_ssl db_settings[:connection][:ssl][:enabled] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Layout/CommentIndentation: Incorrect indentation detected (column 0 instead of 4).
@rsalevsky ok, I've removed neutron part in last commit ... but I'm not sure how severe the problem is, maybe we're gonna have to rework it again |
With this settings, non-SSL access is forbidden for the affected users.
@@ -333,6 +333,7 @@ | |||
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } | |||
end | |||
|
|||
database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Metrics/LineLength: Line is too long. [101/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am happy with these changes, on the proviso that the SSL CI job passes as well.
@@ -333,6 +333,7 @@ | |||
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } | |||
end | |||
|
|||
database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment with an explanation why we're not enabling ssl for horizon in "insecure" mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -333,6 +333,9 @@ | |||
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } | |||
end | |||
|
|||
# We do not require SSL connectopn for horizon user in case of insecure DB setup, | |||
# because horizon's django uses a library (MySQLdb) that does not support insecure connection. | |||
database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Metrics/LineLength: Line is too long. [101/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)
@@ -333,6 +333,9 @@ | |||
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) } | |||
end | |||
|
|||
# We do not require SSL connectopn for horizon user in case of insecure DB setup, | |||
# because horizon's django uses a library (MySQLdb) that does not support insecure connection. | |||
database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Metrics/LineLength: Line is too long. [101/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind addressing this as well?
Also, do not require SSL connection for insecure setup. It seems that MySQLdb library used by django is not able to start SSL connection without proper certificate verification.
With this settings, non-SSL access is forbidden for the affected
users.
This is based on @s-t-e-v-e-n-k patch.
NOTE:
Make sure ssl is enabled if only :sslverify is set brianmario/mysql2#889