Jcrespo has submitted this change and it was merged.
Change subject: Revoke iron access; add salt-masters access for mysql management
......................................................................
Revoke iron access; add salt-masters access for mysql management
Add to neodymium and sarin the new role "mariadb::client", to
use as a center of operations for mysql remote execution (like
salt, but using the command line).
This will modify the current servers to add:
* the mysql client package
* extra mysql client utilities, like percona-toolkit
* required configuration providing access to all mysql servers
In consequence, iron will be revoked access to all mysql servers.
Change-Id: I2feb482c0cd15dcb89f5c19e173b08c0fd9f134c
---
M manifests/role/mariadb.pp
M manifests/site.pp
M templates/mariadb/production-grants.sql.erb
3 files changed, 25 insertions(+), 6 deletions(-)
Approvals:
Jcrespo: Looks good to me, approved
ArielGlenn: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/manifests/role/mariadb.pp b/manifests/role/mariadb.pp
index 4d732fd..212f9d0 100644
--- a/manifests/role/mariadb.pp
+++ b/manifests/role/mariadb.pp
@@ -845,3 +845,18 @@
tendril_password => $passwords::tendril::db_pass,
}
}
+
+# hosts with client utilities to conect to remote servers
+class role::mariadb::client {
+ include mysql
+ include passwords::misc::scripts
+
+ class { 'mariadb::config':
+ password => $passwords::misc::scripts::mysql_root_pass,
+ ssl => 'on',
+ }
+
+ package { 'percona-toolkit':
+ ensure => latest,
+ }
+}
diff --git a/manifests/site.pp b/manifests/site.pp
index e6274e4..b018252 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -2147,7 +2147,8 @@
# salt master
node 'neodymium.eqiad.wmnet' {
- role salt::masters::production, deployment::salt_masters,
debdeploy::master, ipmi, access_new_install
+ role salt::masters::production, deployment::salt_masters,
+ debdeploy::master, ipmi, access_new_install, mariadb::client
include standard
}
@@ -2342,7 +2343,7 @@
# salt master fallback
node 'sarin.codfw.wmnet' {
- role salt::masters::production
+ role salt::masters::production, mariadb::client
include standard
}
diff --git a/templates/mariadb/production-grants.sql.erb
b/templates/mariadb/production-grants.sql.erb
index b803172..78df918 100644
--- a/templates/mariadb/production-grants.sql.erb
+++ b/templates/mariadb/production-grants.sql.erb
@@ -9,15 +9,18 @@
ON ''@'%' TO 'root'@'localhost'
WITH GRANT OPTION;
--- Grants for 'root'@'208.80.154.151' (iron)
+-- Grants for 'root'@'10.64.32.20' (neodymium)
GRANT ALL PRIVILEGES
- ON *.* TO 'root'@'208.80.154.151'
+ ON *.* TO 'root'@'10.64.32.20'
IDENTIFIED BY '<%= @root_pass %>'
WITH GRANT OPTION;
-GRANT PROXY
- ON ''@'%' TO 'root'@'208.80.154.151'
+-- Grants for 'root'@'10.192.0.140' (sarin)
+
+GRANT ALL PRIVILEGES
+ ON *.* TO 'root'@'10.192.0.140'
+ IDENTIFIED BY '<%= @root_pass %>'
WITH GRANT OPTION;
-- Grants for 'nagios'@'localhost' (icinga)
--
To view, visit https://gerrit.wikimedia.org/r/275777
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2feb482c0cd15dcb89f5c19e173b08c0fd9f134c
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Jcrespo <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: Jcrespo <[email protected]>
Gerrit-Reviewer: Volans <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
