Elukey has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/364412 )
Change subject: role::mariadb::analytics::custom_repl_slave: add EventLogging
cleaner user
......................................................................
role::mariadb::analytics::custom_repl_slave: add EventLogging cleaner user
This user should allow the upcoming eventlogging_cleaner.py script
to authenticate via unix socket domain in localhost to the log
database. The mysql grants are not automatically deployed, they will
need to be added manually to mariadb.
Bug: T170118
Change-Id: I39925ad25eafdce076f8f44ec09865b3c900b4ef
---
M modules/role/manifests/mariadb.pp
M modules/role/templates/mariadb/grants/production-m4.sql.erb
2 files changed, 21 insertions(+), 0 deletions(-)
Approvals:
Marostegui: Looks good to me, but someone else must approve
Elukey: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/role/manifests/mariadb.pp
b/modules/role/manifests/mariadb.pp
index 32bdc0f..fcec982 100644
--- a/modules/role/manifests/mariadb.pp
+++ b/modules/role/manifests/mariadb.pp
@@ -210,6 +210,21 @@
# Only 'replicate' this many rows at a time.
$batch_size = 1000
+ group { 'eventlog':
+ ensure => 'present',
+ system => true,
+ }
+
+ user { 'eventlogcleaner':
+ gid => 'eventlog',
+ shell => '/bin/false',
+ home => '/nonexistent',
+ comment => 'EventLogging cleaner user',
+ system => true,
+ managehome => false,
+ require => Group['eventlog'],
+ }
+
file { '/usr/local/bin/eventlogging_sync.sh':
ensure => present,
owner => 'root',
diff --git a/modules/role/templates/mariadb/grants/production-m4.sql.erb
b/modules/role/templates/mariadb/grants/production-m4.sql.erb
index d92395a..dddcf01 100644
--- a/modules/role/templates/mariadb/grants/production-m4.sql.erb
+++ b/modules/role/templates/mariadb/grants/production-m4.sql.erb
@@ -23,3 +23,9 @@
GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT,
LOCK TABLES, SELECT, UPDATE
ON `log`.* TO 'eventlog'@'10.64.32.158';
+
+
+-- eventlog script responsible to sanitize/delete sensitive data over time
+
+GRANT ALTER, SELECT, UPDATE
+ ON `log`.* TO 'eventlogcleaner'@'localhost' IDENTIFIED VIA unix_socket;
\ No newline at end of file
--
To view, visit https://gerrit.wikimedia.org/r/364412
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I39925ad25eafdce076f8f44ec09865b3c900b4ef
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Elukey <[email protected]>
Gerrit-Reviewer: Elukey <[email protected]>
Gerrit-Reviewer: Jcrespo <[email protected]>
Gerrit-Reviewer: Marostegui <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
