Yuvipanda has submitted this change and it was merged.
Change subject: labstore: Followup to I90dc98401b89e769fa058943e3714e383dfe25ea
......................................................................
labstore: Followup to I90dc98401b89e769fa058943e3714e383dfe25ea
- Make sure replica.my.cnf permissions are set properly
- Protect against symlink following
- Add more debugging information
Bug: T104453
Change-Id: I1a69d92cac4bfdd7defb565e6ec75ea0aa930a53
---
M modules/labstore/files/create-dbusers
1 file changed, 29 insertions(+), 9 deletions(-)
Approvals:
Yuvipanda: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/labstore/files/create-dbusers
b/modules/labstore/files/create-dbusers
index b1329a0..244deda 100755
--- a/modules/labstore/files/create-dbusers
+++ b/modules/labstore/files/create-dbusers
@@ -21,6 +21,7 @@
import string
import random
import configparser
+import io
class User:
@@ -58,6 +59,17 @@
return users
+ def write_user_file(self, path, content):
+ try:
+ f = os.open(path, os.O_CREAT | os.O_WRONLY)
+ os.write(f, content.encode('utf-8'))
+ # uid == gid
+ os.fchown(f, self.uid, self.uid)
+ os.fchmod(f, 0o400)
+ finally:
+ if f:
+ os.close(f)
+
class CredentialCreator:
PASSWORD_LENGTH = 16
@@ -79,6 +91,20 @@
return ''.join(sysrandom.sample(
CredentialCreator.PASSWORD_CHARS,
CredentialCreator.PASSWORD_LENGTH))
+
+ def write_credentials_file(self, path, user):
+ password = self._generate_pass()
+ replica_config = configparser.ConfigParser()
+ replica_config['client'] = {
+ 'user': user.db_username,
+ 'password': password
+ }
+ self.create_user(user, password)
+ # Because ConfigParser can only write to a file
+ # and not just return the value as a string directly
+ replica_buffer = io.StringIO()
+ replica_config.write(replica_buffer)
+ sg.write_user_file(replica_path, replica_buffer.getvalue())
def check_user_exists(self, user):
exists = True
@@ -106,6 +132,7 @@
user_pass=password
)
cur.execute(sql)
+ logging.info('Created user %s in %s', user.db_username,
conn.host)
finally:
cur.close()
@@ -150,15 +177,8 @@
if not cgen.check_user_exists(sg):
# No replica.my.cnf and no user in db
# Generate new creds and put them in there!
- password = cgen._generate_pass()
- replica_config = configparser.ConfigParser()
- replica_config['client'] = {
- 'user': sg.db_username,
- 'password': password
- }
- cgen.create_user(sg, password)
- with open(replica_path, 'w') as f:
- replica_config.write(f)
+ logging.info('Creating DB accounts for %s with db username
%s', sg.name, sg.db_username)
+ cgen.write_credentials_file(replica_path, sg)
logging.info("Created replica.my.cnf for %s, with username
%s", sg.name, sg.db_username)
else:
logging.info('Missing replica.my.cnf for user %s despite
grants present in db', sg.name)
--
To view, visit https://gerrit.wikimedia.org/r/227413
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I1a69d92cac4bfdd7defb565e6ec75ea0aa930a53
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
