Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require SSL connection to database if MariaDB SSL is configured #1289

Merged
merged 4 commits into from
Nov 7, 2017
Merged

Require SSL connection to database if MariaDB SSL is configured #1289

merged 4 commits into from
Nov 7, 2017

Conversation

jsuchome
Copy link
Member

@jsuchome jsuchome commented Sep 20, 2017
edited
Loading

With this settings, non-SSL access is forbidden for the affected
users.

This is based on @s-t-e-v-e-n-k patch.

NOTE:

@jsuchome jsuchome mentioned this pull request Sep 20, 2017
Merged
@jsuchome jsuchome force-pushed the require-ssl branch 2 times, most recently from 8268b62 to b516726 Compare September 20, 2017 12:03
nicolasbock
nicolasbock previously approved these changes Sep 20, 2017
View reviewed changes
rhafer
rhafer suggested changes Sep 20, 2017
View reviewed changes
chef/cookbooks/database/libraries/provider_database_mysql_user.rb Outdated
if new_resource.connection[:ssl][:insecure]
client_options[:sslverify] = false
else
client_options[:sslca] = new_resource.connection[:ssl][:ca_certs]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you explicitly need to set client_options[:sslverify] = true at least the mysqlclient docs mention that it is off by default. (I didn't try that though)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, true indeed

rhafer
rhafer previously approved these changes Sep 21, 2017
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself looks good now. But we can't merge it before we have feedback on the ruby-mysql2 patch referenced above. Or we need to rework the code to disable ssl for the ruby part when certificate verification is not possible.

rhafer
rhafer previously approved these changes Sep 21, 2017
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Though the comments from the previous review still apply.

rsalevsky
rsalevsky previously approved these changes Sep 21, 2017
View reviewed changes
@jsuchome jsuchome dismissed stale reviews from rsalevsky and rhafer via a806f8c September 21, 2017 15:28
@jsuchome
Copy link
Member Author

Rebased (no code change)

rsalevsky
rsalevsky previously approved these changes Sep 22, 2017
View reviewed changes
rhafer
rhafer reviewed Sep 22, 2017
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be missing keystone at least.

rhafer
rhafer previously requested changes Sep 22, 2017
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be missing keystone at least.

@jsuchome
Copy link
Member Author

This seems to be missing keystone at least.

Added

@jsuchome
Copy link
Member Author

@rhafer as your patch is currently living in build service, this PR could be merged actually.

@jsuchome jsuchome requested a review from rsalevsky September 25, 2017 16:09
@jsuchome
Copy link
Member Author

jsuchome commented Oct 2, 2017

Current blocker is neutron behavior, see bug https://bugzilla.suse.com/show_bug.cgi?id=1060405

@rsalevsky
Copy link
Member

@jsuchome Would splitting the neutron part in a separate PR help unblocking this PR?

houndci-bot
houndci-bot reviewed Oct 2, 2017
View reviewed changes
chef/cookbooks/neutron/recipes/database.rb Outdated
@@ -63,6 +63,8 @@
host "%"
privileges db_settings[:privs]
provider db_settings[:user_provider]
# FIXME: does not work now, see bsc#1060405
# require_ssl db_settings[:connection][:ssl][:enabled]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Layout/CommentIndentation: Incorrect indentation detected (column 0 instead of 4).

houndci-bot
houndci-bot reviewed Oct 2, 2017
View reviewed changes
chef/cookbooks/neutron/recipes/database.rb Outdated
@@ -63,6 +63,8 @@
host "%"
privileges db_settings[:privs]
provider db_settings[:user_provider]
# FIXME: does not work now, see bsc#1060405
# require_ssl db_settings[:connection][:ssl][:enabled]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Layout/CommentIndentation: Incorrect indentation detected (column 0 instead of 4).

@jsuchome
Copy link
Member Author

jsuchome commented Oct 2, 2017

@rsalevsky ok, I've removed neutron part in last commit ... but I'm not sure how severe the problem is, maybe we're gonna have to rework it again

@rhafer rhafer added the wip label Oct 20, 2017
@jsuchome jsuchome removed the wip label Nov 2, 2017
houndci-bot
houndci-bot reviewed Nov 2, 2017
View reviewed changes
chef/cookbooks/horizon/recipes/server.rb Outdated
@@ -333,6 +333,7 @@
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
end

database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Metrics/LineLength: Line is too long. [101/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)

s-t-e-v-e-n-k
s-t-e-v-e-n-k previously approved these changes Nov 3, 2017
View reviewed changes
Copy link
Contributor

@s-t-e-v-e-n-k s-t-e-v-e-n-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am happy with these changes, on the proviso that the SSL CI job passes as well.

rhafer
rhafer suggested changes Nov 3, 2017
View reviewed changes
chef/cookbooks/horizon/recipes/server.rb Outdated
@@ -333,6 +333,7 @@
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
end

database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment with an explanation why we're not enabling ssl for horizon in "insecure" mode.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

houndci-bot
houndci-bot reviewed Nov 3, 2017
View reviewed changes
chef/cookbooks/horizon/recipes/server.rb Outdated
@@ -333,6 +333,9 @@
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
end

# We do not require SSL connectopn for horizon user in case of insecure DB setup,
# because horizon's django uses a library (MySQLdb) that does not support insecure connection.
database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Metrics/LineLength: Line is too long. [101/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)

houndci-bot
houndci-bot reviewed Nov 3, 2017
View reviewed changes
chef/cookbooks/horizon/recipes/server.rb Outdated
@@ -333,6 +333,9 @@
only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
end

# We do not require SSL connectopn for horizon user in case of insecure DB setup,
# because horizon's django uses a library (MySQLdb) that does not support insecure connection.
database_ssl = db_settings[:connection][:ssl][:enabled] && !db_settings[:connection][:ssl][:insecure]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Metrics/LineLength: Line is too long. [101/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind addressing this as well?

@jsuchome
horizon: Adapt local_settings for SSL connection to database
763a89f 
Also, do not require SSL connection for insecure setup.
It seems that MySQLdb library used by django is not able to start
SSL connection without proper certificate verification.
@jsuchome jsuchome merged commit 7604774 into crowbar:master Nov 7, 2017
@jsuchome jsuchome mentioned this pull request Nov 7, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@rsalevsky rsalevsky rsalevsky approved these changes

@rhafer rhafer rhafer approved these changes

@s-t-e-v-e-n-k s-t-e-v-e-n-k s-t-e-v-e-n-k left review comments

@nicolasbock nicolasbock nicolasbock left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jsuchome @rsalevsky @rhafer @nicolasbock @houndci-bot @s-t-e-v-e-n-k @dirkmueller