Yuvipanda has uploaded a new change for review. https://gerrit.wikimedia.org/r/227413
Change subject: labstore: Followup to I90dc98401b89e769fa058943e3714e383dfe25ea ...................................................................... labstore: Followup to I90dc98401b89e769fa058943e3714e383dfe25ea - Make sure replica.my.cnf permissions are set properly - Protect against symlink following - Add more debugging information Bug: T104453 Change-Id: I1a69d92cac4bfdd7defb565e6ec75ea0aa930a53 --- M modules/labstore/files/create-dbusers 1 file changed, 29 insertions(+), 9 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/13/227413/1 diff --git a/modules/labstore/files/create-dbusers b/modules/labstore/files/create-dbusers index b1329a0..244deda 100755 --- a/modules/labstore/files/create-dbusers +++ b/modules/labstore/files/create-dbusers @@ -21,6 +21,7 @@ import string import random import configparser +import io class User: @@ -58,6 +59,17 @@ return users + def write_user_file(self, path, content): + try: + f = os.open(path, os.O_CREAT | os.O_WRONLY) + os.write(f, content.encode('utf-8')) + # uid == gid + os.fchown(f, self.uid, self.uid) + os.fchmod(f, 0o400) + finally: + if f: + os.close(f) + class CredentialCreator: PASSWORD_LENGTH = 16 @@ -79,6 +91,20 @@ return ''.join(sysrandom.sample( CredentialCreator.PASSWORD_CHARS, CredentialCreator.PASSWORD_LENGTH)) + + def write_credentials_file(self, path, user): + password = self._generate_pass() + replica_config = configparser.ConfigParser() + replica_config['client'] = { + 'user': user.db_username, + 'password': password + } + self.create_user(user, password) + # Because ConfigParser can only write to a file + # and not just return the value as a string directly + replica_buffer = io.StringIO() + replica_config.write(replica_buffer) + sg.write_user_file(replica_path, replica_buffer.getvalue()) def check_user_exists(self, user): exists = True @@ -106,6 +132,7 @@ user_pass=password ) cur.execute(sql) + logging.info('Created user %s in %s', user.db_username, conn.host) finally: cur.close() @@ -150,15 +177,8 @@ if not cgen.check_user_exists(sg): # No replica.my.cnf and no user in db # Generate new creds and put them in there! - password = cgen._generate_pass() - replica_config = configparser.ConfigParser() - replica_config['client'] = { - 'user': sg.db_username, - 'password': password - } - cgen.create_user(sg, password) - with open(replica_path, 'w') as f: - replica_config.write(f) + logging.info('Creating DB accounts for %s with db username %s', sg.name, sg.db_username) + cgen.write_credentials_file(replica_path, sg) logging.info("Created replica.my.cnf for %s, with username %s", sg.name, sg.db_username) else: logging.info('Missing replica.my.cnf for user %s despite grants present in db', sg.name) -- To view, visit https://gerrit.wikimedia.org/r/227413 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1a69d92cac4bfdd7defb565e6ec75ea0aa930a53 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits