openwhisk-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vvras...@apache.org
Subject [incubator-openwhisk] branch master updated: Use separate credentials for controller and invoker. (#3876)
Date Mon, 23 Jul 2018 09:41:01 GMT
This is an automated email from the ASF dual-hosted git repository.

vvraskin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git


The following commit(s) were added to refs/heads/master by this push:
     new 02660b4  Use separate credentials for controller and invoker. (#3876)
02660b4 is described below

commit 02660b48359dc9633e534d5ce4afa745bc30c943
Author: Christian Bickel <github@cbickel.de>
AuthorDate: Mon Jul 23 11:40:57 2018 +0200

    Use separate credentials for controller and invoker. (#3876)
---
 ansible/group_vars/all                    |  6 ++++
 ansible/roles/controller/tasks/deploy.yml |  6 ++--
 ansible/roles/invoker/tasks/deploy.yml    |  6 ++--
 ansible/tasks/db/checkDb.yml              |  6 ++--
 ansible/tasks/db/createUsers.yml          | 25 ++++++++++++++
 ansible/tasks/db/grantPermissions.yml     | 55 +++++++++++++++++++++++++++++++
 ansible/tasks/initdb.yml                  |  7 ++++
 ansible/tasks/recreateViews.yml           |  1 -
 ansible/tasks/wipeDatabase.yml            | 21 +++++++++++-
 ansible/templates/db_local.ini.j2         |  8 +++++
 10 files changed, 133 insertions(+), 8 deletions(-)

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 19a7c9f..b95e3de 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -237,6 +237,12 @@ db:
     admin:
       user: "{{ db_username | default(lookup('ini', 'db_username section=db_creds file={{
playbook_dir }}/db_local.ini')) }}"
       pass: "{{ db_password | default(lookup('ini', 'db_password section=db_creds file={{
playbook_dir }}/db_local.ini')) }}"
+    controller:
+      user: "{{ db_controller_user | default(lookup('ini', 'db_username section=controller
file={{ playbook_dir }}/db_local.ini')) }}"
+      pass: "{{ db_controller_pass | default(lookup('ini', 'db_password section=controller
file={{ playbook_dir }}/db_local.ini')) }}"
+    invoker:
+      user: "{{ db_invoker_user | default(lookup('ini', 'db_username section=invoker file={{
playbook_dir }}/db_local.ini')) }}"
+      pass: "{{ db_invoker_pass | default(lookup('ini', 'db_password section=invoker file={{
playbook_dir }}/db_local.ini')) }}"
 
 apigateway:
   port:
diff --git a/ansible/roles/controller/tasks/deploy.yml b/ansible/roles/controller/tasks/deploy.yml
index 990c18c..80c6a23 100644
--- a/ansible/roles/controller/tasks/deploy.yml
+++ b/ansible/roles/controller/tasks/deploy.yml
@@ -78,6 +78,8 @@
   include_tasks: "{{ openwhisk_home }}/ansible/tasks/db/checkDb.yml"
   vars:
     dbName: "{{ item }}"
+    dbUser: "{{ db.credentials.controller.user }}"
+    dbPass: "{{ db.credentials.controller.pass }}"
   with_items:
     - "{{ db.whisk.actions }}"
     - "{{ db.whisk.auth }}"
@@ -162,8 +164,8 @@
       "CONFIG_whisk_couchdb_protocol": "{{ db.protocol }}"
       "CONFIG_whisk_couchdb_host": "{{ db.host }}"
       "CONFIG_whisk_couchdb_port": "{{ db.port }}"
-      "CONFIG_whisk_couchdb_username": "{{ db.credentials.admin.user }}"
-      "CONFIG_whisk_couchdb_password": "{{ db.credentials.admin.pass }}"
+      "CONFIG_whisk_couchdb_username": "{{ db.credentials.controller.user }}"
+      "CONFIG_whisk_couchdb_password": "{{ db.credentials.controller.pass }}"
       "CONFIG_whisk_couchdb_provider": "{{ db.provider }}"
       "CONFIG_whisk_couchdb_databases_WhiskAuth": "{{ db.whisk.auth }}"
       "CONFIG_whisk_couchdb_databases_WhiskEntity": "{{ db.whisk.actions }}"
diff --git a/ansible/roles/invoker/tasks/deploy.yml b/ansible/roles/invoker/tasks/deploy.yml
index edfde37..40b4b7c 100644
--- a/ansible/roles/invoker/tasks/deploy.yml
+++ b/ansible/roles/invoker/tasks/deploy.yml
@@ -90,6 +90,8 @@
   include_tasks: "{{ openwhisk_home }}/ansible/tasks/db/checkDb.yml"
   vars:
     dbName: "{{ item }}"
+    dbUser: "{{ db.credentials.invoker.user }}"
+    dbPass: "{{ db.credentials.invoker.pass }}"
   with_items:
   - "{{ db.whisk.actions }}"
   - "{{ db.whisk.activations }}"
@@ -182,8 +184,8 @@
       "CONFIG_whisk_couchdb_protocol": "{{ db.protocol }}"
       "CONFIG_whisk_couchdb_host": "{{ db.host }}"
       "CONFIG_whisk_couchdb_port": "{{ db.port }}"
-      "CONFIG_whisk_couchdb_username": "{{ db.credentials.admin.user }}"
-      "CONFIG_whisk_couchdb_password": "{{ db.credentials.admin.pass }}"
+      "CONFIG_whisk_couchdb_username": "{{ db.credentials.invoker.user }}"
+      "CONFIG_whisk_couchdb_password": "{{ db.credentials.invoker.pass }}"
       "CONFIG_whisk_couchdb_provider": "{{ db.provider }}"
       "CONFIG_whisk_couchdb_databases_WhiskAuth": "{{ db.whisk.auth }}"
       "CONFIG_whisk_couchdb_databases_WhiskEntity": "{{ db.whisk.actions }}"
diff --git a/ansible/tasks/db/checkDb.yml b/ansible/tasks/db/checkDb.yml
index 728e60a..809d5e5 100644
--- a/ansible/tasks/db/checkDb.yml
+++ b/ansible/tasks/db/checkDb.yml
@@ -3,12 +3,14 @@
 ---
 # Checks, that the Database exists
 # dbName - name of the database to check
+# dbUser - name of the user which should have access rights
+# dbPass - password of the user which should have access
 
 - name: check if {{ dbName }} with {{ db.provider }} exists
   uri:
     url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}"
     method: HEAD
     status_code: 200
-    user: "{{ db.credentials.admin.user }}"
-    password: "{{ db.credentials.admin.pass }}"
+    user: "{{ dbUser }}"
+    password: "{{ dbPass }}"
     force_basic_auth: yes
diff --git a/ansible/tasks/db/createUsers.yml b/ansible/tasks/db/createUsers.yml
new file mode 100644
index 0000000..2f2b2c0
--- /dev/null
+++ b/ansible/tasks/db/createUsers.yml
@@ -0,0 +1,25 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more contributor
+# license agreements; and to You under the Apache License, Version 2.0.
+---
+# Create all required users in _users-database
+# http://docs.couchdb.org/en/2.0.0/intro/security.html#users-documents
+
+- name: create required users
+  uri:
+    url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users/org.couchdb.user:{{ item.value.user
}}"
+    method: PUT
+    status_code: 201,409
+    body_format: json
+    body: |
+      {
+        "name": "{{ item.value.user }}",
+        "password": "{{ item.value.pass }}",
+        "roles": [],
+        "type": "user"
+      }
+    user: "{{ db.credentials.admin.user }}"
+    password: "{{ db.credentials.admin.pass }}"
+    force_basic_auth: yes
+  with_dict: "{{ db.credentials }}"
+  # Don't create the admin user again, if a component is using admin access.
+  when: item.value.user != db.credentials.admin.user
diff --git a/ansible/tasks/db/grantPermissions.yml b/ansible/tasks/db/grantPermissions.yml
new file mode 100644
index 0000000..11c7f11
--- /dev/null
+++ b/ansible/tasks/db/grantPermissions.yml
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more contributor
+# license agreements; and to You under the Apache License, Version 2.0.
+---
+# Grant the specified users permissions to the specified database.
+# dbName - name of the database
+# admins - all users with admin access
+# readers - all users that have read access on the database
+# writers - all users that have write access on the database
+
+# If a component uses admin credentials, the admin user will not be added to the list (as
it already has all access rights).
+- set_fact:
+    readerList: "{{ readers | default([]) | difference([db.credentials.admin.user]) }}"
+    writerList: "{{ writers | default([]) | difference([db.credentials.admin.user]) }}"
+    adminList: "{{ admins | default([]) | difference([db.credentials.admin.user]) }}"
+
+# http://docs.couchdb.org/en/2.0.0/api/database/security.html
+- name: grant permissions for CouchDB
+  uri:
+    url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security"
+    method: PUT
+    status_code: 200
+    body_format: json
+    body: |
+      {
+        "admins": {
+          "names": [ {{ adminList | join('", "') }} ],
+          "roles": []
+        },
+        "members": {
+          "names": [ "{{ readerList | union(writerList) | join('", "') }}" ],
+          "roles": []
+        }
+      }
+    user: "{{ db.credentials.admin.user }}"
+    password: "{{ db.credentials.admin.pass }}"
+    force_basic_auth: yes
+  when: db.provider == 'CouchDB'
+
+# https://console.bluemix.net/docs/services/Cloudant/api/authorization.html#authorization
+- name: grant permissions for Cloudant
+  uri:
+    url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security"
+    method: PUT
+    status_code: 200
+    body_format: json
+    body: |
+      {
+        "cloudant": {
+          {% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}":
[ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in
adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %}
+        }
+      }
+    user: "{{ db.credentials.admin.user }}"
+    password: "{{ db.credentials.admin.pass }}"
+    force_basic_auth: yes
+  when: db.provider == 'Cloudant'
diff --git a/ansible/tasks/initdb.yml b/ansible/tasks/initdb.yml
index 7e19d7d..16608ae 100644
--- a/ansible/tasks/initdb.yml
+++ b/ansible/tasks/initdb.yml
@@ -9,6 +9,13 @@
     dbName: "{{ db.whisk.auth }}"
     forceRecreation: False
 
+- include_tasks: db/grantPermissions.yml
+  vars:
+    dbName: "{{ db.whisk.auth }}"
+    readers:
+    - "{{ db.credentials.controller.user }}"
+    - "{{ db.credentials.invoker.user }}"
+
 - include_tasks: db/recreateDoc.yml
   vars:
     dbName: "{{ db.whisk.auth }}"
diff --git a/ansible/tasks/recreateViews.yml b/ansible/tasks/recreateViews.yml
index f4f3906..0c9d428 100644
--- a/ansible/tasks/recreateViews.yml
+++ b/ansible/tasks/recreateViews.yml
@@ -21,4 +21,3 @@
     - "{{ openwhisk_home }}/ansible/files/filter_design_document.json"
     - "{{ openwhisk_home }}/ansible/files/activations_design_document_for_activations_db.json"
     - "{{ openwhisk_home }}/ansible/files/logCleanup_design_document_for_activations_db.json"
-  when: db.whisk.activations != db.whisk.actions
diff --git a/ansible/tasks/wipeDatabase.yml b/ansible/tasks/wipeDatabase.yml
index 2e85e64..bfdbd49 100644
--- a/ansible/tasks/wipeDatabase.yml
+++ b/ansible/tasks/wipeDatabase.yml
@@ -4,15 +4,34 @@
 # Wipe transient databases. You should know what you are doing here.
 # withViews: True or False. Says, if the views have to be recreated.
 
+- include_tasks: db/createUsers.yml
+
 - include_tasks: db/recreateDb.yml
   vars:
     dbName: "{{ db.whisk.actions }}"
     forceRecreation: True
+- include_tasks: db/grantPermissions.yml
+  vars:
+    dbName: "{{ db.whisk.actions }}"
+    readers:
+    - "{{ db.credentials.controller.user }}"
+    - "{{ db.credentials.invoker.user }}"
+    writers:
+    - "{{ db.credentials.controller.user }}"
+
 - include_tasks: db/recreateDb.yml
   vars:
     dbName: "{{ db.whisk.activations }}"
     forceRecreation: True
-  when: db.whisk.activations != db.whisk.actions
+- include_tasks: db/grantPermissions.yml
+  vars:
+    dbName: "{{ db.whisk.activations }}"
+    readers:
+    - "{{ db.credentials.controller.user }}"
+    - "{{ db.credentials.invoker.user }}"
+    writers:
+    - "{{ db.credentials.controller.user }}"
+    - "{{ db.credentials.invoker.user }}"
 
 - include_tasks: recreateViews.yml
   when: withViews == True
diff --git a/ansible/templates/db_local.ini.j2 b/ansible/templates/db_local.ini.j2
index 6287155..c94ab63 100644
--- a/ansible/templates/db_local.ini.j2
+++ b/ansible/templates/db_local.ini.j2
@@ -5,3 +5,11 @@ db_password={{ lookup('env', 'OW_DB_PASSWORD')|default('some_passw0rd', true)
}}
 db_protocol={{ lookup('env', 'OW_DB_PROTOCOL')|default('http', true) }}
 db_host={{ lookup('env', 'OW_DB_HOST')|default(groups['db']|first, true) }}
 db_port={{ lookup('env', 'OW_DB_PORT')|default('5984', true) }}
+
+[controller]
+db_username={{ lookup('env', 'OW_DB_CONTROLLER_USERNAME') | default(db_prefix + 'controller0',
true) }}
+db_password={{ lookup('env', 'OW_DB_CONTROLLER_PASSWORD') | default('some_controller_passw0rd',
true) }}
+
+[invoker]
+db_username={{ lookup('env', 'OW_DB_INVOKER_USERNAME') | default(db_prefix + 'invoker0',
true) }}
+db_password={{ lookup('env', 'OW_DB_INVOKER_PASSWORD') | default('some_invoker_passw0rd',
true) }}


Mime
View raw message