This is an automated email from the ASF dual-hosted git repository. markusthoemmes pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push: new b8107e9 Make ansible script to grant database permissions more general. (#3985) b8107e9 is described below commit b8107e96f3de16ee06134539d5a0a766a3b24d66 Author: Christian Bickel <git...@cbickel.de> AuthorDate: Fri Aug 24 11:17:01 2018 +0200 Make ansible script to grant database permissions more general. (#3985) --- ansible/tasks/db/createUsers.yml | 9 +++++++++ ansible/tasks/db/grantPermissions.yml | 32 ++++++++++++++++++++------------ 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/ansible/tasks/db/createUsers.yml b/ansible/tasks/db/createUsers.yml index 2f2b2c0..f823c39 100644 --- a/ansible/tasks/db/createUsers.yml +++ b/ansible/tasks/db/createUsers.yml @@ -4,6 +4,15 @@ # Create all required users in _users-database # http://docs.couchdb.org/en/2.0.0/intro/security.html#users-documents +- name: create _users DB if it doesn't exist yet + uri: + url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users" + method: PUT + status_code: 200,201,412 + user: "{{ db.credentials.admin.user }}" + password: "{{ db.credentials.admin.pass }}" + force_basic_auth: yes + - name: create required users uri: url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users/org.couchdb.user:{{ item.value.user }}" diff --git a/ansible/tasks/db/grantPermissions.yml b/ansible/tasks/db/grantPermissions.yml index 6ac1b77..b7d1c1b 100644 --- a/ansible/tasks/db/grantPermissions.yml +++ b/ansible/tasks/db/grantPermissions.yml @@ -3,20 +3,28 @@ --- # Grant the specified users permissions to the specified database. # dbName - name of the database -# admins - all users with admin access -# readers - all users that have read access on the database -# writers - all users that have write access on the database +# dbHostname - hostname of the database +# dbAdminUser - admin user, which is able to grant permissions +# dbAdminPassword - password of the admin user, which is able to grant permissions +# admins - all users which should have admin access on this database afterwards +# readers - all users which should have read access on this database afterwards +# writers - all users which should have write access on this database afterwards + +- set_fact: + dbUser: "{{ dbAdminUser | default(db.credentials.admin.user) }}" + dbPassword: "{{ dbAdminPassword | default(db.credentials.admin.pass) }}" + dbHost: "{{ dbHostname | default(db.host) }}" # If a component uses admin credentials, the admin user will not be added to the list (as it already has all access rights). - set_fact: - readerList: "{{ readers | default([]) | difference([db.credentials.admin.user]) }}" - writerList: "{{ writers | default([]) | difference([db.credentials.admin.user]) }}" - adminList: "{{ admins | default([]) | difference([db.credentials.admin.user]) }}" + readerList: "{{ readers | default([]) | difference([dbUser]) }}" + writerList: "{{ writers | default([]) | difference([dbUser]) }}" + adminList: "{{ admins | default([]) | difference([dbUser]) }}" # http://docs.couchdb.org/en/2.0.0/api/database/security.html - name: grant permissions for CouchDB uri: - url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security" + url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security" method: PUT status_code: 200 body_format: json @@ -31,15 +39,15 @@ "roles": [] } } - user: "{{ db.credentials.admin.user }}" - password: "{{ db.credentials.admin.pass }}" + user: "{{ dbUser }}" + password: "{{ dbPassword }}" force_basic_auth: yes when: db.provider == 'CouchDB' # https://console.bluemix.net/docs/services/Cloudant/api/authorization.html#authorization - name: grant permissions for Cloudant uri: - url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security" + url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security" method: PUT status_code: 200 body_format: json @@ -49,7 +57,7 @@ {% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %} } } - user: "{{ db.credentials.admin.user }}" - password: "{{ db.credentials.admin.pass }}" + user: "{{ dbUser }}" + password: "{{ dbPassword }}" force_basic_auth: yes when: db.provider == 'Cloudant'