Re: [openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Hi Clark, all, https://review.openstack.org/#/c/76634/ has been merged, but I still get 'command denied' errors [1]. Is there something else, that must be done before we can use new privileges of openstack_citest user? Thanks, Roman [1] http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/e115a5f/console.html On Wed, Feb 26, 2014 at 11:54 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi Clark, I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough Works for me. Thanks, Roman On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan clark.boy...@gmail.com wrote: On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi all, [1] made it possible for openstack_citest MySQL user to create new databases in tests on demand (which is very useful for parallel running of tests on MySQL and PostgreSQL, thank you, guys!). Unfortunately, openstack_citest user can only create tables in the created databases, but not to perform SELECT/UPDATE/INSERT queries. Please see the bug [2] filed by Joshua Harlow. In PostgreSQL the user who creates a database, becomes the owner of the database (and can do everything within this database), and in MySQL we have to GRANT those privileges explicitly. But openstack_citest doesn't have the permission to do GRANT (even on its own databases). I think, we could overcome this issue by doing something like this while provisioning a node: GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to 'openstack_citest'@'localhost'; and then create databases giving them names starting with the prefix value. Is it an acceptable solution? Or am I missing something? Thanks, Roman [1] https://review.openstack.org/#/c/69519/ [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The problem with the prefix approach is it doesn't scale. At some point we will decide we need a new prefix then a third and so on (which is basically what happened at the schema level). That said we recently switched to using single use slaves for all unittesting so I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough. This should work fine for upstream testing but may not be super friendly to others using the puppet manifests on permanent slaves. We can wrap the GRANT in a condition in puppet that is set only on single use slaves if this is a problem. Clark ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Slave images are auto rebuilt daily, so, probably, it's not happens yet for all providers. Anyway I see the following in nodepool logs: 2014-02-28 02:24:09,255 INFO nodepool.image.build.rax-ord.bare-precise: [0;36mnotice: /Stage[main]/Jenkins::Slave/Mysql::Db[openstack_citest]/Database_grant[openstack_citest@localhost/openstack_citest]/privileges: privileges changed '' to 'all'[0m On Fri, Feb 28, 2014 at 12:28 PM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi Clark, all, https://review.openstack.org/#/c/76634/ has been merged, but I still get 'command denied' errors [1]. Is there something else, that must be done before we can use new privileges of openstack_citest user? Thanks, Roman [1] http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/e115a5f/console.html On Wed, Feb 26, 2014 at 11:54 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi Clark, I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough Works for me. Thanks, Roman On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan clark.boy...@gmail.com wrote: On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi all, [1] made it possible for openstack_citest MySQL user to create new databases in tests on demand (which is very useful for parallel running of tests on MySQL and PostgreSQL, thank you, guys!). Unfortunately, openstack_citest user can only create tables in the created databases, but not to perform SELECT/UPDATE/INSERT queries. Please see the bug [2] filed by Joshua Harlow. In PostgreSQL the user who creates a database, becomes the owner of the database (and can do everything within this database), and in MySQL we have to GRANT those privileges explicitly. But openstack_citest doesn't have the permission to do GRANT (even on its own databases). I think, we could overcome this issue by doing something like this while provisioning a node: GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to 'openstack_citest'@'localhost'; and then create databases giving them names starting with the prefix value. Is it an acceptable solution? Or am I missing something? Thanks, Roman [1] https://review.openstack.org/#/c/69519/ [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The problem with the prefix approach is it doesn't scale. At some point we will decide we need a new prefix then a third and so on (which is basically what happened at the schema level). That said we recently switched to using single use slaves for all unittesting so I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough. This should work fine for upstream testing but may not be super friendly to others using the puppet manifests on permanent slaves. We can wrap the GRANT in a condition in puppet that is set only on single use slaves if this is a problem. Clark ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Sincerely yours, Sergey Lukjanov Savanna Technical Lead Mirantis Inc. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Hi all, Just a FYI note, not whining :) Still failing with 'command denied': http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/877792b/console.html Thanks, Roman On Fri, Feb 28, 2014 at 1:41 PM, Sergey Lukjanov slukja...@mirantis.com wrote: Slave images are auto rebuilt daily, so, probably, it's not happens yet for all providers. Anyway I see the following in nodepool logs: 2014-02-28 02:24:09,255 INFO nodepool.image.build.rax-ord.bare-precise: [0;36mnotice: /Stage[main]/Jenkins::Slave/Mysql::Db[openstack_citest]/Database_grant[openstack_citest@localhost/openstack_citest]/privileges: privileges changed '' to 'all' [0m On Fri, Feb 28, 2014 at 12:28 PM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi Clark, all, https://review.openstack.org/#/c/76634/ has been merged, but I still get 'command denied' errors [1]. Is there something else, that must be done before we can use new privileges of openstack_citest user? Thanks, Roman [1] http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/e115a5f/console.html On Wed, Feb 26, 2014 at 11:54 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi Clark, I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough Works for me. Thanks, Roman On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan clark.boy...@gmail.com wrote: On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi all, [1] made it possible for openstack_citest MySQL user to create new databases in tests on demand (which is very useful for parallel running of tests on MySQL and PostgreSQL, thank you, guys!). Unfortunately, openstack_citest user can only create tables in the created databases, but not to perform SELECT/UPDATE/INSERT queries. Please see the bug [2] filed by Joshua Harlow. In PostgreSQL the user who creates a database, becomes the owner of the database (and can do everything within this database), and in MySQL we have to GRANT those privileges explicitly. But openstack_citest doesn't have the permission to do GRANT (even on its own databases). I think, we could overcome this issue by doing something like this while provisioning a node: GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to 'openstack_citest'@'localhost'; and then create databases giving them names starting with the prefix value. Is it an acceptable solution? Or am I missing something? Thanks, Roman [1] https://review.openstack.org/#/c/69519/ [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The problem with the prefix approach is it doesn't scale. At some point we will decide we need a new prefix then a third and so on (which is basically what happened at the schema level). That said we recently switched to using single use slaves for all unittesting so I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough. This should work fine for upstream testing but may not be super friendly to others using the puppet manifests on permanent slaves. We can wrap the GRANT in a condition in puppet that is set only on single use slaves if this is a problem. Clark ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Sincerely yours, Sergey Lukjanov Savanna Technical Lead Mirantis Inc. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Hi Clark, I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough Works for me. Thanks, Roman On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan clark.boy...@gmail.com wrote: On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi all, [1] made it possible for openstack_citest MySQL user to create new databases in tests on demand (which is very useful for parallel running of tests on MySQL and PostgreSQL, thank you, guys!). Unfortunately, openstack_citest user can only create tables in the created databases, but not to perform SELECT/UPDATE/INSERT queries. Please see the bug [2] filed by Joshua Harlow. In PostgreSQL the user who creates a database, becomes the owner of the database (and can do everything within this database), and in MySQL we have to GRANT those privileges explicitly. But openstack_citest doesn't have the permission to do GRANT (even on its own databases). I think, we could overcome this issue by doing something like this while provisioning a node: GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to 'openstack_citest'@'localhost'; and then create databases giving them names starting with the prefix value. Is it an acceptable solution? Or am I missing something? Thanks, Roman [1] https://review.openstack.org/#/c/69519/ [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The problem with the prefix approach is it doesn't scale. At some point we will decide we need a new prefix then a third and so on (which is basically what happened at the schema level). That said we recently switched to using single use slaves for all unittesting so I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough. This should work fine for upstream testing but may not be super friendly to others using the puppet manifests on permanent slaves. We can wrap the GRANT in a condition in puppet that is set only on single use slaves if this is a problem. Clark ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Hi all, [1] made it possible for openstack_citest MySQL user to create new databases in tests on demand (which is very useful for parallel running of tests on MySQL and PostgreSQL, thank you, guys!). Unfortunately, openstack_citest user can only create tables in the created databases, but not to perform SELECT/UPDATE/INSERT queries. Please see the bug [2] filed by Joshua Harlow. In PostgreSQL the user who creates a database, becomes the owner of the database (and can do everything within this database), and in MySQL we have to GRANT those privileges explicitly. But openstack_citest doesn't have the permission to do GRANT (even on its own databases). I think, we could overcome this issue by doing something like this while provisioning a node: GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to 'openstack_citest'@'localhost'; and then create databases giving them names starting with the prefix value. Is it an acceptable solution? Or am I missing something? Thanks, Roman [1] https://review.openstack.org/#/c/69519/ [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka rpodoly...@mirantis.com wrote: Hi all, [1] made it possible for openstack_citest MySQL user to create new databases in tests on demand (which is very useful for parallel running of tests on MySQL and PostgreSQL, thank you, guys!). Unfortunately, openstack_citest user can only create tables in the created databases, but not to perform SELECT/UPDATE/INSERT queries. Please see the bug [2] filed by Joshua Harlow. In PostgreSQL the user who creates a database, becomes the owner of the database (and can do everything within this database), and in MySQL we have to GRANT those privileges explicitly. But openstack_citest doesn't have the permission to do GRANT (even on its own databases). I think, we could overcome this issue by doing something like this while provisioning a node: GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to 'openstack_citest'@'localhost'; and then create databases giving them names starting with the prefix value. Is it an acceptable solution? Or am I missing something? Thanks, Roman [1] https://review.openstack.org/#/c/69519/ [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The problem with the prefix approach is it doesn't scale. At some point we will decide we need a new prefix then a third and so on (which is basically what happened at the schema level). That said we recently switched to using single use slaves for all unittesting so I think we can safely GRANT ALL on *.* to openstack_citest@localhost and call that good enough. This should work fine for upstream testing but may not be super friendly to others using the puppet manifests on permanent slaves. We can wrap the GRANT in a condition in puppet that is set only on single use slaves if this is a problem. Clark ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev