Merge "DB connection: prevent src address from binding to a VIP" into stable/mitaka

2017-02-01 17:48:31 +00:00 · 2017-02-01 17:48:31 +00:00 · 3fa6e990cf
parent 558627a07a 631c375673
commit 3fa6e990cf
3 changed files with 65 additions and 1 deletions
--- a/puppet/cinder-storage.yaml
+++ b/puppet/cinder-storage.yaml
@ -275,7 +275,7 @@ resources:
      config: {get_resource: BlockStorageConfig}
      input_values:
        debug: {get_param: Debug}
-        cinder_dsn: {list_join: ['', ['mysql+pymysql://cinder:', {get_param: CinderPassword}, '@', {get_param: MysqlVirtualIPUri} , '/cinder']]}
+        cinder_dsn: {list_join: ['', ['mysql+pymysql://cinder:', {get_param: CinderPassword}, '@', {get_param: MysqlVirtualIPUri} , '/cinder', '?bind_address=', "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"]]}
        snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
        snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
        cinder_lvm_loop_device_size:
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@ -1063,6 +1063,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/cinder'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        glance_port: {get_param: [EndpointMap, GlanceInternal, port]}
        glance_password: {get_param: GlancePassword}
        glance_backend: {get_param: GlanceBackend}
@ -1080,6 +1082,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/glance'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        heat_password: {get_param: HeatPassword}
        heat_stack_domain_admin_password: {get_param: HeatStackDomainAdminPassword}
        heat_dsn:
@ -1090,6 +1094,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/heat'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        keystone_ca_certificate: {get_param: KeystoneCACertificate}
        keystone_signing_key: {get_param: KeystoneSigningKey}
        keystone_signing_certificate: {get_param: KeystoneSigningCertificate}
@ -1106,6 +1112,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/keystone'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
        keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
        keystone_public_url: { get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
@ -1218,6 +1226,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/ovs_neutron?charset=utf8'
+              - '&bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        neutron_internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
        neutron_public_url: { get_param: [ EndpointMap, NeutronPublic, uri ] }
        neutron_admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
@ -1248,6 +1258,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/ceilometer'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        gnocchi_dsn:
          list_join:
            - ''
@ -1256,6 +1268,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/gnocchi'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        gnocchi_internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
        ceilometer_agent_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
        snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
@ -1273,6 +1287,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/nova'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        nova_api_dsn:
          list_join:
            - ''
@ -1281,6 +1297,8 @@ resources:
              - '@'
              - {get_param: MysqlVirtualIPUri}
              - '/nova_api'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
        upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute}
        instance_name_template: {get_param: InstanceNameTemplate}
        fencing_config: {get_param: FencingConfig}
@ -1349,6 +1367,7 @@ resources:
        memcached_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
        mysql_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
        mysql_virtual_ip: {get_param: MysqlVirtualIP}
+        mysql_client_bind_address: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
        ceph_cluster_network: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]}
        ceph_public_network: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephPublicNetwork]}]}
        ceph_public_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CephPublicNetwork]}]}
@ -1557,6 +1576,7 @@ resources:
                mysql_cluster_name: {get_input: mysql_cluster_name}
                mysql_bind_host: {get_input: mysql_network}
                mysql_virtual_ip: {get_input: mysql_virtual_ip}
+                tripleo::profile::base::database::mysql::client_bind_address: {get_input: mysql_client_bind_address}

                # Neutron
                neutron::bind_host: {get_input: neutron_api_network}
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@ -21,10 +21,54 @@ def exit_usage():
    print('Usage %s <yaml file or directory>' % sys.argv[0])
    sys.exit(1)

+
+def validate_mysql_connection(settings):
+    no_op = lambda *args: False
+    error_status = [0]
+
+    def mysql_protocol(items):
+        return 'mysql+pymysql' in items
+
+    def client_bind_address(item):
+        return 'bind_address' in item
+
+    def validate_mysql_uri(key, items):
+        # Only consider a connection if it targets mysql
+        if key.endswith('dsn') and \
+           search(items, mysql_protocol, no_op):
+            # Assume the "bind_address" option is one of
+            # the token that made up the uri
+            if not search(items, client_bind_address, no_op):
+                error_status[0] = 1
+        return False
+
+    def search(item, check_item, check_key):
+        if check_item(item):
+            return True
+        elif isinstance(item, list):
+            for i in item:
+                if search(i, check_item, check_key):
+                    return True
+        elif isinstance(item, dict):
+            for k in item.keys():
+                if check_key(k, item[k]):
+                    return True
+                elif search(item[k], check_item, check_key):
+                    return True
+        return False
+
+    search(settings, no_op, validate_mysql_uri)
+    return error_status[0]
+
+
 def validate(filename):
    print('Validating %s' % filename)
    try:
        tpl = yaml.load(open(filename).read())
+        if filename.startswith('./puppet/') and \
+           validate_mysql_connection(tpl):
+            print('ERROR: mysql connection uri should use option bind_address')
+            return 1
    except Exception:
        print(traceback.format_exc())
        return 1