From 1faf0b322ff0a2117a96fca1b4589e619aad446f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Dec 2011 12:32:19 -0500 Subject: add table grant privilege handling to mysql_grant --- lib/puppet/provider/mysql_grant/mysql.rb | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 2c44e0b..93c5e34 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -20,6 +20,12 @@ MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv ] +MYSQL_TABLE_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, + :create_priv, :drop_priv, :grant_privt, :references_priv, + :index_priv, :alter_priv, :create_view_priv, :show_view_priv, + :trigger_priv +] + Puppet::Type.type(:mysql_grant).provide(:mysql) do desc "Uses mysql as database." @@ -33,7 +39,7 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do # this parses the def split_name(string) - matches = /^([^@]*)@([^\/]*)(\/(.*))?$/.match(string).captures.compact + matches = /^([^@]*)@([^\/]*)(\/(.*))?(\/(.*))?$/.match(string).captures.compact case matches.length when 2 { @@ -48,6 +54,14 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do :host => matches[1], :db => matches[3] } + when 6 + { + :type => :table, + :user => matches[0], + :host => matches[1], + :db => matches[3], + :table => matches[5] + } end end @@ -63,6 +77,10 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [ name[:host], name[:user], name[:db], ] + when :table + mysql "mysql", "-e", "INSERT INTO tables_priv (host, user, db, table) VALUES ('%s', '%s', '%s', '%s')" % [ + name[:host], name[:user], name[:db], name[:table], + ] end mysql_flush end @@ -78,6 +96,9 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do if name[:type] == :db fields << :db end + if name[:type] == :table + fields << :table + end not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty? end @@ -87,6 +108,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do MYSQL_USER_PRIVS when :db MYSQL_DB_PRIVS + when :table + MYSQL_TABLE_PRIVS end all_privs = all_privs.collect do |p| p.to_s end.sort.join("|") privs = privileges.collect do |p| p.to_s end.sort.join("|") @@ -103,6 +126,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ] when :db privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ] + when :table + privs = mysql "mysql", "-Be", 'select * from tables_priv where User="%s" and Host="%s" and Db="%s" and Table="%s"' % [ name[:user], name[:host], name[:db], name[:table] ] end if privs.match(/^$/) @@ -137,6 +162,10 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do stmt = 'update db set ' where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ] all_privs = MYSQL_DB_PRIVS + when :table + stmt = 'update table_priv set ' + where = ' where user="%s" and host="%s" and Db="%s"' % [ name[:user], name[:host], name[:db] ] + all_privs = MYSQL_DB_PRIVS end if privs[0] == :all -- cgit v1.2.3 From ae6dab7c25492f73aaeb354179db832f451b1c2f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Dec 2011 12:37:44 -0500 Subject: add column grant to mysql_grant --- lib/puppet/provider/mysql_grant/mysql.rb | 30 ++++++++++++++++++++++++++++-- lib/puppet/type/mysql_grant.rb | 10 ++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 93c5e34..b782f12 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -26,6 +26,8 @@ MYSQL_TABLE_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, :trigger_priv ] +MYSQL_COLUMN_PRIVS = [ :select_priv, :insert_priv, :update_priv, :references_priv ] + Puppet::Type.type(:mysql_grant).provide(:mysql) do desc "Uses mysql as database." @@ -39,7 +41,7 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do # this parses the def split_name(string) - matches = /^([^@]*)@([^\/]*)(\/(.*))?(\/(.*))?$/.match(string).captures.compact + matches = /^([^@]*)@([^\/]*)(\/(.*))?(\/(.*))?(\/(.*))?$/.match(string).captures.compact case matches.length when 2 { @@ -62,6 +64,15 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do :db => matches[3], :table => matches[5] } + when 8 + { + :type => :table, + :user => matches[0], + :host => matches[1], + :db => matches[3], + :table => matches[5], + :column => matches[7] + } end end @@ -81,6 +92,10 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do mysql "mysql", "-e", "INSERT INTO tables_priv (host, user, db, table) VALUES ('%s', '%s', '%s', '%s')" % [ name[:host], name[:user], name[:db], name[:table], ] + when :column + mysql "mysql", "-e", "INSERT INTO columns_priv (host, user, db, table, column_name) VALUES ('%s', '%s', '%s', '%s', '%s')" % [ + name[:host], name[:user], name[:db], name[:table], name[:column], + ] end mysql_flush end @@ -99,6 +114,9 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do if name[:type] == :table fields << :table end + if name[:type] == :column + fields << :column + end not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty? end @@ -110,6 +128,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do MYSQL_DB_PRIVS when :table MYSQL_TABLE_PRIVS + when :column + MYSQL_COLUMN_PRIVS end all_privs = all_privs.collect do |p| p.to_s end.sort.join("|") privs = privileges.collect do |p| p.to_s end.sort.join("|") @@ -128,6 +148,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ] when :table privs = mysql "mysql", "-Be", 'select * from tables_priv where User="%s" and Host="%s" and Db="%s" and Table="%s"' % [ name[:user], name[:host], name[:db], name[:table] ] + when :column + privs = mysql "mysql", "-Be", 'select * from columns_priv where User="%s" and Host="%s" and Db="%s" and Table_name="%s" and Column_name="%s"' % [ name[:user], name[:host], name[:db], name[:table], name[:column] ] end if privs.match(/^$/) @@ -165,7 +187,11 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do when :table stmt = 'update table_priv set ' where = ' where user="%s" and host="%s" and Db="%s"' % [ name[:user], name[:host], name[:db] ] - all_privs = MYSQL_DB_PRIVS + all_privs = MYSQL_DB_PRIVS + when :column + stmt = 'update columns_priv set ' + where = ' where user="%s" and host="%s" and Db="%s" and Table="%s"' % [ name[:user], name[:host], name[:db], name[:table] ] + all_privs = MYSQL_DB_PRIVS end if privs[0] == :all diff --git a/lib/puppet/type/mysql_grant.rb b/lib/puppet/type/mysql_grant.rb index 6bc7533..c6311e5 100644 --- a/lib/puppet/type/mysql_grant.rb +++ b/lib/puppet/type/mysql_grant.rb @@ -5,6 +5,16 @@ Puppet::Type.newtype(:mysql_grant) do #ensurable autorequire(:service) { 'mysqld' } + autorequire :mysql_table do + reqs = [] + matches = self[:name].match(/^([^@]*)@([^\/]*)\/(.+)\/(.+)$/) + unless matches.nil? + reqs << matches[4] + end + # puts "Autoreq: '%s'" % reqs.join(" ") + reqs + end + autorequire :mysql_db do # puts "Starting db autoreq for %s" % self[:name] reqs = [] -- cgit v1.2.3 From b869455c7471cf32e8218f749f7e1f4025c0874a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 1 Jan 2012 15:28:30 -0500 Subject: table privileges don't have the name with _privs on the end, also the actually available privileges are less than was originally thought, so I trimmed those down --- lib/puppet/provider/mysql_grant/mysql.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index b782f12..22ee1e7 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -20,10 +20,8 @@ MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv ] -MYSQL_TABLE_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, - :create_priv, :drop_priv, :grant_privt, :references_priv, - :index_priv, :alter_priv, :create_view_priv, :show_view_priv, - :trigger_priv +MYSQL_TABLE_PRIVS = [ :select, :insert, :update, :delete, :create, :drop, + :references, :index, :alter ] MYSQL_COLUMN_PRIVS = [ :select_priv, :insert_priv, :update_priv, :references_priv ] -- cgit v1.2.3 From d42aafd7a8c6b1b97dd79586114f07f97cde999f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 1 Jan 2012 15:29:09 -0500 Subject: changed the matches regexp to be not greedy so other things like tables and columns can be matched --- lib/puppet/provider/mysql_grant/mysql.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 22ee1e7..f3c800d 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -39,7 +39,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do # this parses the def split_name(string) - matches = /^([^@]*)@([^\/]*)(\/(.*))?(\/(.*))?(\/(.*))?$/.match(string).captures.compact + matches = /^([^@]*)@([^\/]*)(\/([^\/]*))?(\/([^\/]*))?$/.match(string).captures.compact + case matches.length when 2 { -- cgit v1.2.3 From c650057bdcc41312a673277544519a11af8a9ede Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 1 Jan 2012 15:30:40 -0500 Subject: change the type name and the table_name to be less confusing --- lib/puppet/provider/mysql_grant/mysql.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index f3c800d..4d9b616 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -57,11 +57,11 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do } when 6 { - :type => :table, + :type => :tables_priv, :user => matches[0], :host => matches[1], :db => matches[3], - :table => matches[5] + :table_name => matches[5] } when 8 { @@ -125,7 +125,7 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do MYSQL_USER_PRIVS when :db MYSQL_DB_PRIVS - when :table + when :tables_priv MYSQL_TABLE_PRIVS when :column MYSQL_COLUMN_PRIVS -- cgit v1.2.3 From 7f10702c5a12fe8e098ab62f22d13eb322a2ad43 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 1 Jan 2012 15:35:44 -0500 Subject: table privileges need to be handled with GRANT/REVOKE statements instead of inserts of Y/N values into the table. To handle this, this comment removes the create_row for table_privs, it also selects the actual value of the Table_priv so its value can be used instead of the method that is used for Y/N value settings --- lib/puppet/provider/mysql_grant/mysql.rb | 38 ++++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 4d9b616..2d474d0 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -87,10 +87,6 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [ name[:host], name[:user], name[:db], ] - when :table - mysql "mysql", "-e", "INSERT INTO tables_priv (host, user, db, table) VALUES ('%s', '%s', '%s', '%s')" % [ - name[:host], name[:user], name[:db], name[:table], - ] when :column mysql "mysql", "-e", "INSERT INTO columns_priv (host, user, db, table, column_name) VALUES ('%s', '%s', '%s', '%s', '%s')" % [ name[:host], name[:user], name[:db], name[:table], name[:column], @@ -110,12 +106,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do if name[:type] == :db fields << :db end - if name[:type] == :table - fields << :table - end if name[:type] == :column fields << :column - end not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty? end @@ -145,28 +137,36 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ] when :db privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ] - when :table - privs = mysql "mysql", "-Be", 'select * from tables_priv where User="%s" and Host="%s" and Db="%s" and Table="%s"' % [ name[:user], name[:host], name[:db], name[:table] ] - when :column + when :tables_priv + privs = mysql "mysql", "-NBe", 'select Table_priv from tables_priv where User="%s" and Host="%s" and Db="%s" and Table_name="%s"' % [ name[:user], name[:host], name[:db], name[:table_name] ] + privs = privs.chomp.downcase + return privs + when :columns privs = mysql "mysql", "-Be", 'select * from columns_priv where User="%s" and Host="%s" and Db="%s" and Table_name="%s" and Column_name="%s"' % [ name[:user], name[:host], name[:db], name[:table], name[:column] ] end if privs.match(/^$/) privs = [] # no result, no privs else + case name[:type] + when :user, :db # returns a line with field names and a line with values, each tab-separated - privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end - # transpose the lines, so we have key/value pairs - privs = privs[0].zip(privs[1]) - privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end + privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end + # transpose the lines, so we have key/value pairs + privs = privs[0].zip(privs[1]) + privs = privs.select do |p| (/_priv$/) and p[1] == 'Y' end + privs.collect do |p| symbolize(p[0].downcase) end + end end - - privs.collect do |p| symbolize(p[0].downcase) end end def privileges=(privs) - unless row_exists? - create_row + name = split_name(@resource[:name]) + # don't need to create a row for tables_priv and columns_priv + if name[:type] == :user || name[:type] == :db + unless row_exists? + create_row + end end # puts "Setting privs: ", privs.join(", ") -- cgit v1.2.3 From 2fc384981886eeb33b262c443c05bb0c7dff0528 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 1 Jan 2012 15:43:47 -0500 Subject: Instead of doing an update table_priv, we need to do GRANT/REVOKE statements When we are working with tables_priv we need to first get a downcased array of the currently set privileges, and a downcased array of the desired permissions. Then we make a list of the permissions to revoke by subtracting the requested permissions from the currently set ones. If the list of permissions to revoke is not empty, then we issue a REVOKE. Then we make a list of the permissions to add by subtracting the requested permissions from the current set (no need to add select again if it is already there). Then if the set of permissions to add is not empty, then we actually execute the statement. --- lib/puppet/provider/mysql_grant/mysql.rb | 39 ++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 2d474d0..e1bdc07 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -183,10 +183,21 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do stmt = 'update db set ' where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ] all_privs = MYSQL_DB_PRIVS - when :table - stmt = 'update table_priv set ' - where = ' where user="%s" and host="%s" and Db="%s"' % [ name[:user], name[:host], name[:db] ] - all_privs = MYSQL_DB_PRIVS + when :tables_priv + currently_set = privileges + currently_set = currently_set.scan(/\w+/) + privs.map! {|i| i.to_s.downcase} + revoke = currently_set - privs + + if !revoke.empty? + #puts "Revoking table privs: ", revoke + mysql "mysql", "-e", "REVOKE %s ON %s.%s FROM '%s'@'%s'" % [ revoke.join(", "), name[:db], name[:table_name], name[:user], name[:host] ] + end + + set = privs - currently_set + stmt = 'GRANT ' + where = ' ON %s.%s TO "%s"@"%s"' % [ name[:db], name[:table_name], name[:user], name[:host] ] + all_privs = MYSQL_TABLE_PRIVS when :column stmt = 'update columns_priv set ' where = ' where user="%s" and host="%s" and Db="%s" and Table="%s"' % [ name[:user], name[:host], name[:db], name[:table] ] @@ -197,13 +208,23 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do privs = all_privs end - # puts "stmt:", stmt - set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p) ? 'Y' : 'N'] end.join(', ') - # puts "set:", set + #puts "stmt:", stmt + case name[:type] + when :user + set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p) ? 'Y' : 'N'] end.join(', ') + when :db + set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p) ? 'Y' : 'N'] end.join(', ') + when :tables_priv + set = set.join(', ') + end + + #puts "set:", set stmt = stmt << set << where - mysql "mysql", "-Be", stmt - mysql_flush + if !set.empty? + mysql "mysql", "-Be", stmt + mysql_flush + end end end -- cgit v1.2.3 From f2dd063f82eb0c32d02a5e0cb4777f96915ee431 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 16 Jan 2012 15:48:31 -0500 Subject: fix missing end --- lib/puppet/provider/mysql_grant/mysql.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index e1bdc07..5652cf4 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -108,6 +108,7 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do end if name[:type] == :column fields << :column + end not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty? end @@ -200,8 +201,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do all_privs = MYSQL_TABLE_PRIVS when :column stmt = 'update columns_priv set ' - where = ' where user="%s" and host="%s" and Db="%s" and Table="%s"' % [ name[:user], name[:host], name[:db], name[:table] ] - all_privs = MYSQL_DB_PRIVS + where = ' where user="%s" and host="%s" and Db="%s" and Table_name="%s"' % [ name[:user], name[:host], name[:db], name[:table_name] ] + all_privs = MYSQL_COLUMN_PRIVS end if privs[0] == :all @@ -220,6 +221,7 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do #puts "set:", set stmt = stmt << set << where + #puts "stmt:", stmt if !set.empty? mysql "mysql", "-Be", stmt -- cgit v1.2.3 From 60bb96c9a1f6ced4e8435c6edafca0d1bc1a783a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 22 Jan 2012 23:48:33 -0500 Subject: add the trigger privilege to the list of potential MYSQL_USER_PRIVS --- lib/puppet/provider/mysql_grant/mysql.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 5652cf4..bcf8d6c 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -11,7 +11,7 @@ MYSQL_USER_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, :show_db_priv, :super_priv, :create_tmp_table_priv, :lock_tables_priv, :execute_priv, :repl_slave_priv, :repl_client_priv, :create_view_priv, :show_view_priv, :create_routine_priv, :alter_routine_priv, - :create_user_priv + :create_user_priv, :trigger_priv ] MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, -- cgit v1.2.3 From 32fdce32d9e90bd5a658b59c7ca5fe295412f0ae Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Apr 2012 13:42:11 -0400 Subject: add note to README about mysql::server::account_security removing accounts by default, and how to get around it --- README | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README b/README index e48a840..a25edf7 100644 --- a/README +++ b/README @@ -16,6 +16,15 @@ installed, specifically it must have nagios::plugin::deploy functionality. You will need to have activated storedconfigs on the puppetmaster. +Special Notes +============= + +By using this module, the following users will be automatically removed, if they +exist: "root@${fqdn}", "root@127.0.0.1", "@${fqdn}", "@localhost", "@%" + +If you require any of these, you can subclass class +mysql::server::account_security to override this. + Mysql Server ============ -- cgit v1.2.3 From a55ce915da835e23b24054aa493d756f85f3b60d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Apr 2012 17:47:13 -0400 Subject: switch hiera to pull its variables in parameterized classes instead of inline in the manifest --- manifests/client.pp | 6 +++--- manifests/server.pp | 48 +++++++++++++++++++++-------------------- manifests/server/base.pp | 13 ++++++----- manifests/server/cron/backup.pp | 40 ++++++++++++++++++---------------- manifests/server/nagios.pp | 48 +++++++++++++++++++++-------------------- 5 files changed, 82 insertions(+), 73 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 8d2280f..005d8e8 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,12 +1,12 @@ -class mysql::client { +class mysql::client ( $use_shorewall = hiera('use_shorewall',false) { case $::operatingsystem { debian: { include mysql::client::debian } default: { include mysql::client::base } } - if hiera('use_shorewall',false) { + if $use_shorewall { include shorewall::rules::out::mysql } - + } diff --git a/manifests/server.pp b/manifests/server.pp index 964d7cb..3ea038b 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,27 +1,29 @@ -class mysql::server { +class mysql::server ( + $use_munin = hiera('use_nagios',false), + $use_shorewall = hiera('use_shorewall',false) +) { + case $::operatingsystem { + gentoo: { include mysql::server::gentoo } + centos: { include mysql::server::centos } + debian: { include mysql::server::debian } + default: { include mysql::server::base } + } - case $::operatingsystem { - gentoo: { include mysql::server::gentoo } - centos: { include mysql::server::centos } - debian: { include mysql::server::debian } - default: { include mysql::server::base } - } + if $use_munin { + case $::operatingsystem { + debian: { include mysql::server::munin::debian } + default: { include mysql::server::munin::default } + } + } - if hiera('use_munin',false) { - case $::operatingsystem { - debian: { include mysql::server::munin::debian } - default: { include mysql::server::munin::default } - } - } + if $use_nagios { + case $nagios_check_mysql { + false: { info("We don't do nagioschecks for mysql on ${::fqdn}" ) } + default: { include mysql::server::nagios } + } + } - if hiera('use_nagios',false) { - case hiera('nagios_check_mysql',false) { - false: { info("We don't do nagioschecks for mysql on ${::fqdn}" ) } - default: { include mysql::server::nagios } - } - } - - if hiera('use_shorewall',false) { - include shorewall::rules::mysql - } + if $use_shorewall { + include shorewall::rules::mysql + } } diff --git a/manifests/server/base.pp b/manifests/server/base.pp index 75f5725..529696f 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -1,4 +1,7 @@ -class mysql::server::base { +class mysql::server::base( + $mysql_backup_cron = hiera('mysql_backup_cron', false), + $mysql_optimize_cron = hiera('mysql_optimize_cron', false) +) { package { mysql-server: ensure => present, } @@ -57,12 +60,12 @@ class mysql::server::base { refreshonly => true, } - if hiera('mysql_backup_cron',false) { - include mysql::server::cron::backup + if ($mysql_backup_cron) { + include mysql::server::cron::backup } - if hiera('mysql_optimize_cron',false) { - include mysql::server::cron::optimize + if $mysql_optimize_cron) { + include mysql::server::cron::optimize } service { 'mysql': diff --git a/manifests/server/cron/backup.pp b/manifests/server/cron/backup.pp index 4b5c3e5..b105f1b 100644 --- a/manifests/server/cron/backup.pp +++ b/manifests/server/cron/backup.pp @@ -1,22 +1,24 @@ -class mysql::server::cron::backup { - $mysql_backup_dir = hiera('mysql_backup_dir','/var/backups/mysql') - case hiera('mysql_manage_backup_dir',true) { - false: { info("We don't manage the mysql_backup_dir") } - default: { - file { 'mysql_backup_dir': - path => hiera('mysql_backup_dir','/var/backups/mysql'), - ensure => directory, - before => Cron['mysql_backup_cron'], - owner => root, group => 0, mode => 0700; - } - } - } +class mysql::server::cron::backup ( + $mysql_backup_dir = hiera('mysql_backup_dir','/var/backups/mysql'), + $mysql_manage_backup_dir = hiera('mysql_manage_backup_dir',true) +) { + case $mysql_manage_backup_dir { + false: { info("We don't manage the mysql_backup_dir") } + default: { + file { 'mysql_backup_dir': + path => $mysql_backup_dir, + ensure => directory, + before => Cron['mysql_backup_cron'], + owner => root, group => 0, mode => 0700; + } + } + } - cron { 'mysql_backup_cron': - command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql_backup_dir}/mysqldump.sql.gz", - user => 'root', - minute => 0, - hour => 1, - require => [ Exec['mysql_set_rootpw'], File['mysql_root_cnf'] ], + cron { 'mysql_backup_cron': + command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql_backup_dir}/mysqldump.sql.gz", + user => 'root', + minute => 0, + hour => 1, + require => [ Exec['mysql_set_rootpw'], File['mysql_root_cnf'] ], } } diff --git a/manifests/server/nagios.pp b/manifests/server/nagios.pp index 26644db..40bd0ee 100644 --- a/manifests/server/nagios.pp +++ b/manifests/server/nagios.pp @@ -1,28 +1,30 @@ # manifests/server/nagios.pp -class mysql::server::nagios { - # Flip this variable if you need to check MySQL through check_ssh or check_nrpe, - # in that case you will have to manually define nagios::service::mysql - if (hiera('nagios_mysql_notcp',false) != true) { - $nagios_mysql_user = 'nagios@%' - nagios::service::mysql { 'connection-time': - check_hostname => $::fqdn, - require => Mysql_grant[$nagios_mysql_user], - } - } - else { - $nagios_mysql_user = 'nagios@localhost' - } +class mysql::server::nagios ( + $nagios_mysql_notcp = hiera('nagios_mysql_notcp',false) +) { + # Flip this variable if you need to check MySQL through check_ssh or check_nrpe, + # in that case you will have to manually define nagios::service::mysql + if ($nagios_mysql_notcp != true) { + $nagios_mysql_user = 'nagios@%' + nagios::service::mysql { 'connection-time': + check_hostname => $::fqdn, + require => Mysql_grant[$nagios_mysql_user], + } + } + else { + $nagios_mysql_user = 'nagios@localhost' + } - mysql_user{$nagios_mysql_user: - password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'), - require => Package['mysql'], - } + mysql_user{$nagios_mysql_user: + password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'), + require => Package['mysql'], + } - # repl_client_priv is needed to check the replication slave status - # modes: slave-lag, slave-io-running and slave-sql-running - mysql_grant{$nagios_mysql_user: - privileges => [ 'select_priv', 'repl_client_priv' ], - require => [ Mysql_user[$nagios_mysql_user], Package['mysql'] ], - } + # repl_client_priv is needed to check the replication slave status + # modes: slave-lag, slave-io-running and slave-sql-running + mysql_grant{$nagios_mysql_user: + privileges => [ 'select_priv', 'repl_client_priv' ], + require => [ Mysql_user[$nagios_mysql_user], Package['mysql'] ], + } } -- cgit v1.2.3 From 27773b88a5bb848a5eda3e4f0246d4e71a9eddbd Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 11 Apr 2012 12:59:33 -0400 Subject: fix $use_munin hiera check to be use_munin instead of incorrect use_nagios add $use_nagios hiera check --- manifests/server.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index 3ea038b..4245ef7 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,5 +1,6 @@ class mysql::server ( - $use_munin = hiera('use_nagios',false), + $use_munin = hiera('use_munin',false), + $use_nagios = hiera('use_nagios',false), $use_shorewall = hiera('use_shorewall',false) ) { case $::operatingsystem { -- cgit v1.2.3 From a30637ad2e825e62c004364e23811643e711ab28 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Apr 2012 11:30:36 -0400 Subject: fix syntax error --- manifests/server/base.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/server/base.pp b/manifests/server/base.pp index 529696f..fea7a3f 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -60,11 +60,11 @@ class mysql::server::base( refreshonly => true, } - if ($mysql_backup_cron) { + if $mysql_backup_cron { include mysql::server::cron::backup } - if $mysql_optimize_cron) { + if $mysql_optimize_cron { include mysql::server::cron::optimize } -- cgit v1.2.3 From 9e22feaca0cd1139611cecc3ee9a88ef5d06cc7a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Apr 2012 11:36:09 -0400 Subject: fix another trivial syntax error --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index 005d8e8..47f522f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,4 +1,4 @@ -class mysql::client ( $use_shorewall = hiera('use_shorewall',false) { +class mysql::client ( $use_shorewall = hiera('use_shorewall',false) ) { case $::operatingsystem { debian: { include mysql::client::debian } -- cgit v1.2.3 From 9db98da33c10a6cfac0867b9ae56ba15c32c46bf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Apr 2012 13:26:57 -0400 Subject: fix trocla function lookup in template, without this, you get: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to parse template mysql/root/my.cnf.erb: undefined method `function_trocla' for # at /etc/puppet/modules/mysql/manifests/server/base.pp:50 on node --- templates/root/my.cnf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/root/my.cnf.erb b/templates/root/my.cnf.erb index fbc8a0e..26ced1e 100644 --- a/templates/root/my.cnf.erb +++ b/templates/root/my.cnf.erb @@ -1,4 +1,4 @@ [client] user=root host=localhost -password=<%= scope.function_trocla("mysql_root_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %> +password=<%= Puppet::Parser::Functions.function('trocla');'' %><%= scope.function_trocla("mysql_root_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %> -- cgit v1.2.3 From 9465f48a6560f7d263931ec08618699dc44321f3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Jun 2012 15:47:24 -0400 Subject: 2.7 underscore rename: site-mysql --- manifests/server/base.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/server/base.pp b/manifests/server/base.pp index fea7a3f..82d4b6a 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -8,10 +8,10 @@ class mysql::server::base( file { 'mysql_main_cnf': path => '/etc/mysql/my.cnf', source => [ - "puppet:///modules/site-mysql/${::fqdn}/my.cnf", - "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}", - "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}", - "puppet:///modules/site-mysql/my.cnf", + "puppet:///modules/site_mysql/${::fqdn}/my.cnf", + "puppet:///modules/site_mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/site_mysql/my.cnf.${::operatingsystem}", + "puppet:///modules/site_mysql/my.cnf", "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}.{lsbdistcodename}", "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}", "puppet:///modules/mysql/config/my.cnf" -- cgit v1.2.3