-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
THREESCALE-10279 - Use a non-root user for built-in MySQL and PostgreSQL DBs + Secret Update #952
base: master
Are you sure you want to change the base?
Conversation
789d680
to
e892c42
Compare
e892c42
to
62c0f36
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a few comments but I was unable to complete the verification steps because the installation never completed for both fresh install and upgrade scenarios. Something is blocking the apicast-production
Deployment from becoming healthy (this is also what caused the e2e test to fail). I'll continue to debug and will report back if I find the root cause.
c3f3e62
to
01be554
Compare
Thank you for Review @carlkyrillos . Hope I addressed your comments. Also - I removed Root password (I asked in chat for people openian, waiting, but I see that it's not in use). Also I added Validation logs and notes for External MySql test. Thank you |
@MStokluska , thanks very much for external Mysql process explanation. I retested and added logs and notes to Validation section. |
|
97aebc5
to
9c9efc8
Compare
Looks like requirements changed. Waiting. |
9c9efc8
to
350e790
Compare
/retest |
@valerymo: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Jira: https://issues.redhat.com/browse/THREESCALE-10279
Use a non-root user by default for built-in MySQL and PostgreSQL DBs
DB_USER and DB_PASSWORD were removed from system-database secret
It was decided to move this PR/Task to 2.16
New Jira opened for 2.15, for Documentation update to change Mysql User privilages from Select to ALL - https://issues.redhat.com/browse/THREESCALE-10938
Validation
Retesting 02.Apr
INTERNAL DB
system
.* TOmysql
@%
, 3scale tables populated in system dbsystem
.* TOmysql
@%
, 3scale tables populated in system dbEXTERNAL DB
Previouse validation
What was done for validation (briefly):
test1
was created in Initial installation; to check login with this user after upgrade.3scale Upgrade - MySql Test
Check Initial 3scale installation
=============
DB_USER:
$ echo bXlzcWw= |base64 -d
mysql
URL:
$ echo bXlzcWwyOixxxx |base64 -d
mysql2://root:wxxxxx0@system-mysql/system
Login to mysql as root:
Add user test1 to initial installation
We will try login with this user after upgrade
*** UPGRADE 3scale ****
Update Catalog source - upgrade will be executed
Note that mysql deployment and secret are not updated after Upgrade:
$ oc rollout history deployment.apps/system-mysql
deployment.apps/system-mysql
REVISION CHANGE-CAUSE
1
$ oc get secret system-database -oyaml
apiVersion: v1
data:
DB_PASSWORD: ZzJMaxxx
DB_USER: bXlxxx
URL: bXlzcWwyOixxxxx
kind: Secret
.....
type: Opaque
$ oc get pod |grep mysql
system-mysql-d7dbf74c7-qz6vg 1/1 Running 0 13m
$ oc rsh system-mysql-d7dbf74c7-qz6vg
sh-4.2$ mysql -u root
Welcome....
....
mysql> use mysql;
Database changed
mysql> select user from user;
+------------------+
| user |
+------------------+
| mysql |
| root |
.....
| test1 |
+------------------+
7 rows in set (0.00 sec)
mysql>
Notes - it was found that not enough to rollour reployment (kubectl rollout restart deployment/system-mysql), as pod had error CreateContainerConfigError
NO Password
NOTE - Password in mysql user changed, it's differ from initial installation.
Passwork should be taken from URL in secret:
login:
NOTE. Update of deployment and secret - required. Update order:
oc delete deploy system-mysql
oc edit secret system-database
: delete fieldsDB_USER
andDB_PASSWOR
3scale Upgrade - Postgres Test
Upgrade
check secret and deploy / pod
delete deployment:
results:
- secret - not changed;
URL (after decreption): postgresql://system:XXXXXXy@system-postgresql/systembase64:
Notes Behavior is differ than for MySql, becasue Postgres used "system" user, and no change of this user in PR
- pod is recreated successfully
NOTE. Update of deployment and secret - required. Update order:
oc delete deploy system-postgresql
oc edit secret system-database
: delete fieldsDB_USER
andDB_PASSWOR
NOTEs for Upgrade. Update of deployment and secret - required after Upgrade. Update order:
oc delete deploy system-postgresql
oc delete deploy system-mysql
oc edit secret system-database
: delete fieldsDB_USER
andDB_PASSWOR
External MySql DB Validation
To Create external Mysql db for Test
create project mysql-test
run:
oc new-app -e MYSQL_USER=admin -e MYSQL_PASSWORD=12345 -e MYSQL_DATABASE=system registry.redhat.io/rhscl/mysql-56-rhel7
Secret:
Grant limited permission to user and check remote connection
mysql> show grants for test1;
+------------------------------------------------------------------------------------------------------+
| Grants for test1@% |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON . TO 'test1'@'%' IDENTIFIED BY PASSWORD '00A51F3F48415C7D4E8908980D443C29C69B60C9' |
| GRANT SELECT, INSERT, UPDATE ON
mysql
. TO 'test1'@'%' |+------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Result: Error in
system-app-pre
job - Connected but can't create mysql (?? trying to create)Need provide ALL PRIVILEGES to user to allow remote connection and operation
NOTES Please note that ALL PRIVILEGES for User on specific DB - it's not the same as Root privilages.
Grant ALL PRIVILEGES ON mysql DB for test user
mysql> GRANT ALL PRIVILEGES ON mysql.* to test1;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for test1;
+------------------------------------------------------------------------------------------------------+
| Grants for test1@% |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON . TO 'test1'@'%' IDENTIFIED BY PASSWORD '00A51F3F48415C7D4E8908980D443C29C69B60C9' |
| GRANT ALL PRIVILEGES ON
mysql
. TO 'test1'@'%' |+------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Result - Successfull. Connected and 3scale tables created
Check if User and DB are not exist
change URL:
URL: mysql2://test2:12345@mysql-56-rhel7.mysql-test.svc.cluster.local/testdb2
Mysql2::Error::ConnectionError: Access denied for user 'test2'@'10.130.2.41' (using password: YES)
mysql> SELECT create_time
-> FROM information_schema.tables
-> WHERE table_schema = 'mysql'
-> AND table_name = 'oidc_configurations';
+---------------------+
| create_time |
+---------------------+
| 2024-03-26 07:18:32 |
+---------------------+
1 row in set (0.01 sec)
mysql>
Recheck with one more User
mysql> create user test2 identified by '12345';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON mysql.* to test2;
Query OK, 0 rows affected (0.00 sec)
URL in secret
URL: mysql2://test2:12345@mysql-56-rhel7.mysql-test.svc.cluster.local/mysql
Job logs
Check if any table was updated after user test2 connection
We can see that No 3scale tables were updated after second user connection
Summary
ALL PRIVILEGES
Grants to connect to remote MySQLsystem-database
secret created by user/customer, and contains URL similar to below:URL: mysql2://test2:test2password@<HOST>/mysql
system-database
secret does Not contains absolete fields DB_USER and DB_PASSWORD.Notes for External MySQL
ALL PRIVILEGES
Grants to connect to remote MySQLsystem-database
secret created by user/customer, and contains URL similar to below:URL: mysql2://test2:test2password@<HOST>/mysql
system-database
secret does Not contains absolete fields DB_USER and DB_PASSWORD.