vvraskin commented on a change in pull request #3876: Use separate db users for
deployed components.
URL:
https://github.com/apache/incubator-openwhisk/pull/3876#discussion_r203640564
##########
File path: ansible/tasks/db/grantPermissions.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
contributor
+# license agreements; and to You under the Apache License, Version 2.0.
+---
+# Grant the specified users permissions to the specified database.
+# dbName - name of the database
+# admins - all users with admin access
+# readers - all users that have read access on the database
+# writers - all users that have write access on the database
+
+# If a component uses admin credentials, the admin user will not be added to
the list (as it already has all access rights).
+- set_fact:
+ readerList: "{{ readers | default([]) |
difference([db.credentials.admin.user]) }}"
+ writerList: "{{ writers | default([]) |
difference([db.credentials.admin.user]) }}"
+ adminList: "{{ admins | default([]) |
difference([db.credentials.admin.user]) }}"
+
+# http://docs.couchdb.org/en/2.0.0/api/database/security.html
+- name: grant permissions for CouchDB
+ uri:
+ url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName
}}/_security"
+ method: PUT
+ status_code: 200
+ body_format: json
+ body: |
+ {
+ "admins": {
+ "names": [ {{ adminList | join('", "') }} ],
+ "roles": []
+ },
+ "members": {
+ "names": [ "{{ readerList | union(writerList) | join('", "') }}" ],
+ "roles": []
+ }
+ }
+ user: "{{ db.credentials.admin.user }}"
+ password: "{{ db.credentials.admin.pass }}"
+ force_basic_auth: yes
+ when: db.provider == 'CouchDB'
+
+#
https://console.bluemix.net/docs/services/Cloudant/api/authorization.html#authorization
+- name: grant permissions for Cloudant
+ uri:
+ url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName
}}/_security"
+ method: PUT
+ status_code: 200
+ body_format: json
+ body: |
+ {
+ "cloudant": {
+ {% for item in readerList | union(writerList) | union(adminList)
%}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList
%}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif
%} ], {% endfor %}
Review comment:
👍
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
