Mattflaschen has uploaded a new change for review.
https://gerrit.wikimedia.org/r/260097
Change subject: WIP: Don't use MySQL root account for DB connection
......................................................................
WIP: Don't use MySQL root account for DB connection
Bug: T86373
Change-Id: I25e3f3b0c43197835f87a8418501208c282569a8
---
M puppet/hieradata/common.yaml
M puppet/modules/mediawiki/manifests/init.pp
M puppet/modules/mediawiki/manifests/multiwiki.pp
M puppet/modules/mediawiki/manifests/wiki.pp
M puppet/modules/role/manifests/flow.pp
5 files changed, 29 insertions(+), 12 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/vagrant
refs/changes/97/260097/1
diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml
index af91aa7..e2a2521 100644
--- a/puppet/hieradata/common.yaml
+++ b/puppet/hieradata/common.yaml
@@ -203,11 +203,11 @@
mediawiki::page_dir: "%{hiera('mwv::files_dir')}/pages"
mediawiki::composer_fragment_dir:
"%{hiera('mediawiki::settings_dir')}/composer"
mediawiki::db_name: "%{hiera('mysql::default_db_name')}"
-mediawiki::db_user: root
-mediawiki::db_pass: "%{hiera('mysql::root_password')}"
mediawiki::admin_user: admin
mediawiki::admin_pass: vagrant
mediawiki::server_url:
"http://%{hiera('role::mediawiki::hostname')}%{::port_fragment}"
+
+mediawiki::wiki::db_host: '127.0.0.1'
mediawiki::apache::docroot: "%{hiera('apache::docroot')}"
@@ -218,6 +218,8 @@
mediawiki::multiwiki::base_domain: '.wiki.local.wmftest.net'
mediawiki::multiwiki::script_dir: "%{hiera('mediawiki::apache::docroot')}/w"
mediawiki::multiwiki::settings_root:
"%{hiera('mediawiki::settings_dir')}/wikis"
+mediawiki::multiwiki::db_user: 'wikiadmin'
+mediawiki::multiwiki::db_pass: 'wikipassword'
mediawiki::parsoid::dir: "%{hiera('mwv::services_dir')}/parsoid"
mediawiki::parsoid::port: 8000
diff --git a/puppet/modules/mediawiki/manifests/init.pp
b/puppet/modules/mediawiki/manifests/init.pp
index 7501e8b..167bc20 100644
--- a/puppet/modules/mediawiki/manifests/init.pp
+++ b/puppet/modules/mediawiki/manifests/init.pp
@@ -17,12 +17,6 @@
# [*db_name*]
# Logical MySQL database name (example: 'devwiki').
#
-# [*db_user*]
-# MySQL user to use to connect to the database (example: 'wikidb').
-#
-# [*db_pass*]
-# Password for MySQL account (example: 'secret123').
-#
# [*dir*]
# The system path to which MediaWiki files have been installed
# (example: '/srv/mediawiki').
@@ -55,8 +49,6 @@
$admin_user,
$admin_pass,
$db_name,
- $db_pass,
- $db_user,
$dir,
$cache_dir,
$settings_dir,
diff --git a/puppet/modules/mediawiki/manifests/multiwiki.pp
b/puppet/modules/mediawiki/manifests/multiwiki.pp
index 1afcacd..e56e0e7 100644
--- a/puppet/modules/mediawiki/manifests/multiwiki.pp
+++ b/puppet/modules/mediawiki/manifests/multiwiki.pp
@@ -19,10 +19,17 @@
# [*settings_root*]
# Location of settings files.
#
+# [*db_user*]
+# Database user used by MediaWiki
+#
+# [*db_pass*]
+# Database password used by MediaWiki
class mediawiki::multiwiki(
$base_domain,
$script_dir,
$settings_root,
+ $db_user,
+ $db_pass
) {
File {
@@ -30,6 +37,11 @@
group => 'www-data',
}
+ mysql::user { $db_user:
+ password => $db_pass,
+ grant => 'CREATE ON *.*'
+ }
+
file { $settings_root:
ensure => directory,
owner => $::share_owner,
diff --git a/puppet/modules/mediawiki/manifests/wiki.pp
b/puppet/modules/mediawiki/manifests/wiki.pp
index fbe17fb..c58552c 100644
--- a/puppet/modules/mediawiki/manifests/wiki.pp
+++ b/puppet/modules/mediawiki/manifests/wiki.pp
@@ -60,9 +60,10 @@
#
define mediawiki::wiki(
$wiki_name = $title,
+ $db_host = '',
$db_name = "${title}wiki",
- $db_user = $::mediawiki::db_user,
- $db_pass = $::mediawiki::db_pass,
+ $db_user = $::mediawiki::multiwiki::db_user,
+ $db_pass = $::mediawiki::multiwiki::db_pass,
$admin_user = $::mediawiki::admin_user,
$admin_pass = $::mediawiki::admin_pass,
$src_dir = $::mediawiki::dir,
@@ -76,6 +77,10 @@
include ::mediawiki
require ::mediawiki::multiwiki
+ mysql::sql { "GRANT ALL PRIVILEGES ON ${db_name}.* TO
${db_user}@${db_host}":
+ unless => "SELECT * FROM INFORMATION_SCHEMA.SCHEMA_PRIVILEGES WHERE
TABLE_SCHEMA = '${db_name}' AND GRANTEE = \"'${db_user}'@'${db_host}'\""
+ }
+
$settings_root = "${::mediawiki::multiwiki::settings_root}/${db_name}"
$settings_dir = "${settings_root}/settings.d"
$installer_args = {
@@ -87,6 +92,7 @@
scriptpath => '/w',
server => $server_url,
confpath => $settings_root,
+ require => Mysql::Sql["GRANT ALL PRIVILEGES ON ${db_name}.* TO
${db_user}@${db_host}"],
}
file { [$upload_dir, $cache_dir]:
diff --git a/puppet/modules/role/manifests/flow.pp
b/puppet/modules/role/manifests/flow.pp
index 7a6c302..7509f67 100644
--- a/puppet/modules/role/manifests/flow.pp
+++ b/puppet/modules/role/manifests/flow.pp
@@ -9,6 +9,11 @@
include ::role::betafeatures
include ::role::varnish
+ # # Equivalent to extension1 in production
+ # mysql::db { 'Flow cluster':
+ # dbname => 'external',
+ # }
+
mediawiki::extension { 'Flow':
needs_update => true,
settings => template('role/flow/conf.php.erb'),
--
To view, visit https://gerrit.wikimedia.org/r/260097
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I25e3f3b0c43197835f87a8418501208c282569a8
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/vagrant
Gerrit-Branch: master
Gerrit-Owner: Mattflaschen <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
