[MediaWiki-commits] [Gerrit] mediawiki/vagrant[master]: phabricator: use a separate database user

jenkins-bot (Code Review) Sat, 20 Jan 2018 05:22:45 -0800

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/405244 )


Change subject: phabricator: use a separate database user
......................................................................


phabricator: use a separate database user

Use a user with rights limited to databases starting with "phabricator_"
for the Phabricator service.

Change-Id: Ic4371616d67006b27a8f08bd02f3bb452a9cf2aa
---
M puppet/hieradata/common.yaml
M puppet/modules/mysql/manifests/user.pp
M puppet/modules/phabricator/manifests/init.pp
3 files changed, 27 insertions(+), 6 deletions(-)

Approvals:
  BryanDavis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml
index 2b53491..ab5c4b6 100644
--- a/puppet/hieradata/common.yaml
+++ b/puppet/hieradata/common.yaml
@@ -278,6 +278,8 @@
 phabricator::log_dir: "/vagrant/logs/phd"
 phabricator::vhost_name: "phabricator%{hiera('mwv::tld')}"
 phabricator::remote: https://secure.phabricator.com/diffusion/P/phabricator.git
+phabricator::dbuser: phabricator
+phabricator::dbpass: phabulous
 
 php::xhprof::profile_storage_dir: /vagrant/profiles
 
diff --git a/puppet/modules/mysql/manifests/user.pp 
b/puppet/modules/mysql/manifests/user.pp
index 9c69e2a..88c8ef5 100644
--- a/puppet/modules/mysql/manifests/user.pp
+++ b/puppet/modules/mysql/manifests/user.pp
@@ -44,7 +44,7 @@
     $password,
     $ensure   = present,
     $username = $title,
-    $grant    = 'usage on *.*',
+    $grant    = 'USAGE ON *.*',
     $hostname = $::mysql::grant_host_name,
     $socket   = false,
 ) {
@@ -57,8 +57,8 @@
     }
 
     if $ensure == 'absent' {
-        mysql::sql { "drop user '${username}'":
-            unless => "select not exists(select 1 from mysql.user where user = 
'${username}')",
+        mysql::sql { "DROP USER '${username}'":
+            unless => "SELECT NOT EXISTS(SELECT 1 FROM mysql.user WHERE user = 
'${username}')",
         }
     } else {
         $ident = $socket ? {
@@ -66,8 +66,8 @@
             default => "IDENTIFIED BY '${password}'",
         }
         mysql::sql { "create user ${username}":
-            sql    => "grant ${grant} to '${username}'@'${hostname}' ${ident}",
-            unless => "select exists(select 1 from mysql.user where user = 
'${username}')",
+            sql    => "CREATE USER '${username}'@'${hostname}' ${ident}; GRANT 
${grant} to '${username}'@'${hostname}'",
+            unless => "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 
'${username}')",
         }
     }
 }
diff --git a/puppet/modules/phabricator/manifests/init.pp 
b/puppet/modules/phabricator/manifests/init.pp
index 152d584..8a9f55a 100644
--- a/puppet/modules/phabricator/manifests/init.pp
+++ b/puppet/modules/phabricator/manifests/init.pp
@@ -19,6 +19,12 @@
 # [*remote*]
 #   Phabricator git remote.
 #
+# [*dbuser*]
+#   Database user
+#
+# [*dbpass*]
+#   Database password
+#
 # [*branch*]
 #   Phabricator branch to check out. If left undefined the default HEAD of the
 #   remote will be used.
@@ -28,6 +34,8 @@
     $log_dir,
     $vhost_name,
     $remote,
+    $dbuser,
+    $dbpass,
     $branch = undef,
     $protocol = 'http',
 ){
@@ -70,6 +78,11 @@
         require  => Class['::apache::mod::rewrite'],
     }
 
+    mysql::user { $dbuser:
+        password => $dbpass,
+        grant    => 'ALL ON \`phabricator\_%\`.*',
+    }
+
     phabricator::config { 'mysql.host':
         value => '127.0.0.1',
     }
@@ -78,8 +91,12 @@
         value => 3306,
     }
 
+    phabricator::config { 'mysql.user':
+        value => $dbuser,
+    }
+
     phabricator::config { 'mysql.pass':
-        value => $::mysql::root_password,
+        value => $dbpass,
     }
 
     phabricator::config { 'phabricator.base-uri':
@@ -181,8 +198,10 @@
         require => [
             Class['::mysql'],
             Phabricator::Config['mysql.host'],
+            Phabricator::Config['mysql.user'],
             Phabricator::Config['mysql.pass'],
             Phabricator::Config['mysql.port'],
+            Mysql::User[$dbuser],
         ],
         unless  => "${deploy_dir}/phabricator/bin/storage status > /dev/null",
     }

-- 
To view, visit https://gerrit.wikimedia.org/r/405244
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ic4371616d67006b27a8f08bd02f3bb452a9cf2aa
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/vagrant
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Dduvall <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/vagrant[master]: phabricator: use a separate database user

Reply via email to