Jcrespo has submitted this change and it was merged.

Change subject: Refactor mariadb role to add role mariadb::grants::production
......................................................................


Refactor mariadb role to add role mariadb::grants::production

Aside from the name change from mariadb::grants, they will include
at role level the creation of the /root/.my.cnf file, instead of
it being created at module level.

Roles like wikitech, tendril or labs will have to create its own
file (if needed) separatelly.

Bug: T146146
Change-Id: Ib418dac723ef2e51d841ff4f37862c16fda7ae60
---
M manifests/role/mariadb.pp
M modules/mariadb
2 files changed, 137 insertions(+), 125 deletions(-)

Approvals:
  Jcrespo: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/role/mariadb.pp b/manifests/role/mariadb.pp
index a3371ed..069df55 100644
--- a/manifests/role/mariadb.pp
+++ b/manifests/role/mariadb.pp
@@ -10,8 +10,14 @@
 }
 
 # root, repl, nagios, tendril, prometheus
-class role::mariadb::grants(
-    $shard = false,
+# WARNING: any root user will have access to these files
+# Do not apply to hosts with users with arbitrary roots
+# or any non-production mysql, such as labs-support hosts,
+# wikitech hosts, etc.
+class role::mariadb::grants::production(
+    $shard    = false,
+    $prompt   = '',
+    $password = 'undefined',
     ) {
 
     include passwords::misc::scripts
@@ -30,33 +36,72 @@
     $tendril_pass    = $passwords::tendril::db_pass
     $prometheus_pass = $passwords::prometheus::db_pass
 
-    # disabled until T146146 is clarified
-    #file { '/etc/mysql/production-grants.sql':
-    #    ensure  => present,
-    #    owner   => 'root',
-    #    group   => 'root',
-    #    mode    => '0400',
-    #    content => template('mariadb/production-grants.sql.erb'),
-    #}
-    #
-    #if $shard {
-    #    $nodepool_pass       = $passwords::nodepool::nodepooldb_pass
-    #    $testreduce_pass     = $passwords::testreduce::mysql::db_pass
-    #    $testreduce_cli_pass = 
$passwords::testreduce::mysql::mysql_client_pass
-    #    $racktables_user     = $passwords::racktables::racktables_db_user
-    #    $racktables_pass     = $passwords::racktables::racktables_db_pass
-    #    $servermon_pass      = $passwords::servermon::db_password
-    #    $striker_pass        = $passwords::striker::application_db_password
-    #    $striker_admin_pass  = $passwords::striker::admin_db_password
-    #
-    #    file { '/etc/mysql/production-grants-shard.sql':
-    #        ensure  => present,
-    #        owner   => 'root',
-    #        group   => 'root',
-    #        mode    => '0400',
-    #        content => template("mariadb/production-grants-${shard}.sql.erb"),
-    #    }
-    #}
+    file { '/etc/mysql/production-grants.sql':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0400',
+        content => template('mariadb/production-grants.sql.erb'),
+    }
+
+    file { '/root/.my.cnf':
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0400',
+        content => template('mariadb/root.my.cnf.erb'),
+    }
+
+    if $shard {
+        $nodepool_pass       = $passwords::nodepool::nodepooldb_pass
+        $testreduce_pass     = $passwords::testreduce::mysql::db_pass
+        $testreduce_cli_pass = $passwords::testreduce::mysql::mysql_client_pass
+        $racktables_user     = $passwords::racktables::racktables_db_user
+        $racktables_pass     = $passwords::racktables::racktables_db_pass
+        $servermon_pass      = $passwords::servermon::db_password
+        $striker_pass        = $passwords::striker::application_db_password
+        $striker_admin_pass  = $passwords::striker::admin_db_password
+
+        file { '/etc/mysql/production-grants-shard.sql':
+            ensure  => present,
+            owner   => 'root',
+            group   => 'root',
+            mode    => '0400',
+            content => template("mariadb/production-grants-${shard}.sql.erb"),
+        }
+    }
+}
+
+# wikiadmin, wikiuser
+class role::mariadb::grants::core {
+
+    include passwords::misc::scripts
+
+    $wikiadmin_pass = $passwords::misc::scripts::wikiadmin_pass
+    $wikiuser_pass  = $passwords::misc::scripts::wikiuser_pass
+
+    file { '/etc/mysql/production-grants-core.sql':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0400',
+        content => template('mariadb/production-grants-core.sql.erb'),
+    }
+}
+
+class role::mariadb::grants::wikitech {
+
+    include passwords::misc::scripts
+    $wikiadmin_pass = $passwords::misc::scripts::wikiadmin_pass
+    $keystoneconfig  = hiera_hash('keystoneconfig', {})
+    $oathreader_pass = $keystoneconfig['oath_dbpass']
+
+    file { '/etc/mysql/grants-wikitech.sql':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0400',
+        content => template('mariadb/grants-wikitech.sql.erb'),
+    }
 }
 
 class role::mariadb::ferm {
@@ -191,16 +236,16 @@
     }
 
     class { 'mariadb::config':
-        prompt    => "MISC ${shard}",
         config    => 'mariadb/misc.my.cnf.erb',
-        password  => $passwords::misc::scripts::mysql_root_pass,
         datadir   => '/srv/sqldata',
         tmpdir    => '/srv/tmp',
         read_only => $read_only,
     }
 
-    class { 'role::mariadb::grants':
-        shard => $shard,
+    class { 'role::mariadb::grants::production':
+        shard    => $shard,
+        prompt   => "MISC ${shard}",
+        password => $passwords::misc::scripts::mysql_root_pass,
     }
 
     class { 'mariadb::heartbeat':
@@ -252,9 +297,7 @@
     }
 
     class { 'mariadb::config':
-        prompt    => "MISC ${shard}",
         config    => 'mariadb/phabricator.my.cnf.erb',
-        password  => $passwords::misc::scripts::mysql_root_pass,
         datadir   => '/srv/sqldata',
         tmpdir    => '/srv/tmp',
         sql_mode  => 'STRICT_ALL_TABLES',
@@ -279,8 +322,10 @@
         content => template('mariadb/phabricator-stopwords.txt.erb'),
     }
 
-    class { 'role::mariadb::grants':
-        shard => $shard,
+    class { 'role::mariadb::grants::production':
+        shard    => $shard,
+        prompt   => "MISC ${shard}",
+        password => $passwords::misc::scripts::mysql_root_pass,
     }
 
     class { 'mariadb::heartbeat':
@@ -336,9 +381,7 @@
     }
 
     class { 'mariadb::config':
-        prompt        => "EVENTLOGGING ${shard}",
         config        => 'mariadb/eventlogging.my.cnf.erb',
-        password      => $passwords::misc::scripts::mysql_root_pass,
         datadir       => '/srv/sqldata',
         tmpdir        => '/srv/tmp',
         read_only     => $read_only,
@@ -347,8 +390,10 @@
         binlog_format => 'MIXED',
     }
 
-    class { 'role::mariadb::grants':
-        shard => $shard,
+    class { 'role::mariadb::grants::production':
+        shard    => $shard,
+        prompt   => "EVENTLOGGING ${shard}",
+        password => $passwords::misc::scripts::mysql_root_pass,
     }
 
     class { 'mariadb::heartbeat':
@@ -371,11 +416,9 @@
     include passwords::misc::scripts
 
     class { 'mariadb::config':
-        prompt   => 'BETA',
-        config   => 'mariadb/beta.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_beta_root_pass,
-        datadir  => '/mnt/sqldata',
-        tmpdir   => '/mnt/tmp',
+        config  => 'mariadb/beta.my.cnf.erb',
+        datadir => '/mnt/sqldata',
+        tmpdir  => '/mnt/tmp',
     }
 }
 
@@ -391,7 +434,6 @@
     }
 
     include standard
-    include role::mariadb::grants
     include role::mariadb::monitor::dba
     include passwords::misc::scripts
     include role::mariadb::ferm
@@ -408,11 +450,9 @@
     }
 
     class { 'mariadb::config':
-        prompt   => 'TENDRIL',
-        config   => 'mariadb/tendril.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_root_pass,
-        datadir  => '/srv/sqldata',
-        tmpdir   => '/srv/tmp',
+        config  => 'mariadb/tendril.my.cnf.erb',
+        datadir => '/srv/sqldata',
+        tmpdir  => '/srv/tmp',
     }
 }
 
@@ -432,7 +472,12 @@
     }
 
     include standard
-    include role::mariadb::grants
+
+    class { 'role::mariadb::grants::production':
+        password => $passwords::misc::scripts::mysql_root_pass,
+        prompt   => 'DBSTORE',
+    }
+
     include role::mariadb::monitor::dba
     include passwords::misc::scripts
     include role::mariadb::ferm
@@ -443,13 +488,11 @@
     }
 
     class { 'mariadb::config':
-        prompt   => 'DBSTORE',
-        config   => 'mariadb/dbstore.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_root_pass,
-        datadir  => '/srv/sqldata',
-        tmpdir   => '/srv/tmp',
-        ssl      => 'on',
-        p_s      => 'off',
+        config  => 'mariadb/dbstore.my.cnf.erb',
+        datadir => '/srv/sqldata',
+        tmpdir  => '/srv/tmp',
+        ssl     => 'on',
+        p_s     => 'off',
     }
 
     mariadb::monitor_replication {
@@ -548,39 +591,6 @@
     }
 }
 
-# wikiadmin, wikiuser
-class role::mariadb::grants::core {
-
-    include passwords::misc::scripts
-
-    $wikiadmin_pass = $passwords::misc::scripts::wikiadmin_pass
-    $wikiuser_pass  = $passwords::misc::scripts::wikiuser_pass
-
-    file { '/etc/mysql/production-grants-core.sql':
-        ensure  => present,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0400',
-        content => template('mariadb/production-grants-core.sql.erb'),
-    }
-}
-
-class role::mariadb::grants::wikitech {
-
-    include passwords::misc::scripts
-    $wikiadmin_pass = $passwords::misc::scripts::wikiadmin_pass
-    $keystoneconfig  = hiera_hash('keystoneconfig', {})
-    $oathreader_pass = $keystoneconfig['oath_dbpass']
-
-    file { '/etc/mysql/grants-wikitech.sql':
-        ensure  => present,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0400',
-        content => template('mariadb/grants-wikitech.sql.erb'),
-    }
-}
-
 class role::mariadb::core(
     $shard,
     $ssl           = 'puppet-cert',
@@ -594,8 +604,6 @@
 
     include standard
     include base::firewall
-    include role::mariadb::grants
-    include role::mariadb::grants::core
     include role::mariadb::monitor
     include passwords::misc::scripts
     include role::mariadb::ferm
@@ -633,9 +641,7 @@
 
     # Read only forced on also for the masters of the primary datacenter
     class { 'mariadb::config':
-        prompt           => "PRODUCTION ${shard}",
         config           => 'mariadb/production.my.cnf.erb',
-        password         => $passwords::misc::scripts::mysql_root_pass,
         datadir          => '/srv/sqldata',
         tmpdir           => '/srv/tmp',
         p_s              => 'on',
@@ -643,6 +649,13 @@
         binlog_format    => $binlog_format,
         semi_sync        => $semi_sync,
         replication_role => $mysql_role,
+    }
+
+    include role::mariadb::grants::core
+    class { 'role::mariadb::grants::production':
+        shard    => 'core',
+        prompt   => "PRODUCTION ${shard}",
+        password => $passwords::misc::scripts::mysql_root_pass,
     }
 
     $replication_is_critical = ($::mw_primary == $::site)
@@ -671,7 +684,6 @@
     }
 
     include standard
-    include role::mariadb::grants
     include passwords::misc::scripts
     class { 'role::mariadb::groups':
         mysql_group => 'labs',
@@ -683,9 +695,7 @@
     }
 
     class { 'mariadb::config':
-        prompt   => 'SANITARIUM',
         config   => 'mariadb/sanitarium.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_root_pass,
     }
 
     ferm::service { 'mysqld_sanitarium':
@@ -764,7 +774,6 @@
     }
 
     include standard
-    include role::mariadb::grants
     include role::mariadb::monitor
     include passwords::misc::scripts
     include role::mariadb::ferm
@@ -780,11 +789,9 @@
     }
 
     class { 'mariadb::config':
-        prompt   => 'LABS',
-        config   => 'mariadb/labs.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_root_pass,
-        datadir  => '/srv/sqldata',
-        tmpdir   => '/srv/tmp',
+        config  => 'mariadb/labs.my.cnf.erb',
+        datadir => '/srv/sqldata',
+        tmpdir  => '/srv/tmp',
     }
 
     file { '/srv/innodb':
@@ -819,7 +826,6 @@
     }
 
     include standard
-    include role::mariadb::grants
     include role::mariadb::grants::wikitech
     include role::mariadb::monitor
     include passwords::misc::scripts
@@ -833,11 +839,9 @@
     }
 
     class { 'mariadb::config':
-        prompt   => 'WIKITECH',
-        config   => 'mariadb/wikitech.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_root_pass,
-        datadir  => '/srv/sqldata',
-        tmpdir   => '/srv/tmp',
+        config  => 'mariadb/wikitech.my.cnf.erb',
+        datadir => '/srv/sqldata',
+        tmpdir  => '/srv/tmp',
     }
 
     # mysql monitoring access from tendril (db1011)
@@ -931,7 +935,6 @@
 
     include standard
 
-    include role::mariadb::grants::core
     include role::mariadb::monitor
     include role::mariadb::ferm
     include passwords::misc::scripts
@@ -949,18 +952,19 @@
         mariadb10 => true,
     }
 
-    class { 'role::mariadb::grants':
-        shard => 'parsercache',
+    include role::mariadb::grants::core
+    class { 'role::mariadb::grants::production':
+        shard    => 'parsercache',
+        prompt   => 'PARSERCACHE',
+        password => $passwords::misc::scripts::mysql_root_pass,
     }
 
     class { 'mariadb::config':
-        prompt   => 'PARSERCACHE',
-        config   => 'mariadb/parsercache.my.cnf.erb',
-        password => $passwords::misc::scripts::mysql_root_pass,
-        datadir  => '/srv/sqldata-cache',
-        tmpdir   => '/srv/tmp',
-        ssl      => 'on',
-        p_s      => 'off',
+        config  => 'mariadb/parsercache.my.cnf.erb',
+        datadir => '/srv/sqldata-cache',
+        tmpdir  => '/srv/tmp',
+        ssl     => 'on',
+        p_s     => 'off',
     }
 
     class { 'mariadb::heartbeat':
@@ -1034,8 +1038,16 @@
     include passwords::misc::scripts
 
     class { 'mariadb::config':
-        password => $passwords::misc::scripts::mysql_root_pass,
-        ssl      => 'on',
+        ssl => 'puppet-cert',
+    }
+
+    $password = $passwords::misc::scripts::mysql_root_pass
+    $prompt = 'MARIADB'
+    file { '/root/.my.cnf':
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0400',
+        content => template('mariadb/root.my.cnf.erb'),
     }
 
     package {
diff --git a/modules/mariadb b/modules/mariadb
index 1b9f13b..43f9a90 160000
--- a/modules/mariadb
+++ b/modules/mariadb
@@ -1 +1 @@
-Subproject commit 1b9f13b11f4f69173a7d73adf5aef165567db6ce
+Subproject commit 43f9a909d8910e6041d29886717cb6ba8c21c58e

-- 
To view, visit https://gerrit.wikimedia.org/r/311752
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ib418dac723ef2e51d841ff4f37862c16fda7ae60
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Jcrespo <jcre...@wikimedia.org>
Gerrit-Reviewer: Jcrespo <jcre...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to