I've setup something where I put a grants file in the data directory
of each database:
remotefile {"$db_datadir/grants":
mode => 500,
source => "db/$db_name/data/grants",
require => File["${db_datadir}"],
notify => Exec["refresh_${db_name}"]
}
this file contains...grants, ala:
--
delete from mysql.user where not(user='root' and host='localhost');
grant select on mydb.* to 'imyuser'@'%' identified by PASSWORD
'*NOTREALNOTREAL727A331289600B9AA66EAE';
<additional grants as needed>
flush privileges
--
from there every time puppet is run it dumps all grants and does an
md5 hash. if the hash is ever different from the previously computed
hash (stored in a file), it reapplies the grants. Basically if
anybody makes a manual change it will get reverted next puppet run.
hopefully someone doesn't poke a hole in my logic here, but it seems
to work fine for me. The only change I've been thinking I should put
in is having the initial 'delete' and final 'flush' statements part of
the actual puppet class instead of in each grants file. it'd be
safer..
# generate a hash from the grants table. if it's different than
the hash generated last time
# notify so grants table gets refreshed.
# this will backout changes made manually!
$grants_sel = "'select user,host,password from mysql.user order
by user,host;'"
exec {"echo ${grants_sel} | ${mysql_bin}/mysql -S ${db_socket} |
md5sum > ${db_datadir}/grants.hash":
onlyif => "test -S ${db_socket}",
unless => "echo ${grants_sel} | ${mysql_bin}/mysql -S $
{db_socket} | md5sum | diff - ${db_datadir}/grants.hash",
notify => Exec["refresh_${db_name}"]
}
# refresh only on grants file change. gets notified by grants
file being changed
# NOTE --force means it will apply statements even if a
previous one has a syntax error
# without all lines are applied until the syntax error and lines
after are not
exec {"${mysql_bin}/mysql --force -S ${db_socket} < $db_datadir/
grants":
alias => "refresh_${db_name}",
refreshonly => true,
onlyif => "test -S ${db_socket}",
}
On May 19, 7:56 am, dbs <dbelfershev...@gmail.com> wrote:
> We need to make sure all our MySQL servers have a specific user /
> password / grant setup available (this is because we use centralized
> monitoring via Zenoss, and Zenoss needs a login on all the servers).
>
> I found a github reference to a package that might do it
> (http://github.com/camptocamp/puppet-mysql) but I can't understand
> what it is, how it works, or even what to do with it.
>
> How would folks recommend implementing this functionality?
>
> (Talking about perhaps 40 database servers)
>
> -d
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group
> athttp://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
