Elukey has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/364412 )
Change subject: role::mariadb::analytics::custom_repl_slave: add EventLogging cleaner user ...................................................................... role::mariadb::analytics::custom_repl_slave: add EventLogging cleaner user This user should allow the upcoming eventlogging_cleaner.py script to authenticate via unix socket domain in localhost to the log database. The mysql grants are not automatically deployed, they will need to be added manually to mariadb. Bug: T170118 Change-Id: I39925ad25eafdce076f8f44ec09865b3c900b4ef --- M modules/role/manifests/mariadb.pp M modules/role/templates/mariadb/grants/production-m4.sql.erb 2 files changed, 21 insertions(+), 0 deletions(-) Approvals: Marostegui: Looks good to me, but someone else must approve Elukey: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/role/manifests/mariadb.pp b/modules/role/manifests/mariadb.pp index 32bdc0f..fcec982 100644 --- a/modules/role/manifests/mariadb.pp +++ b/modules/role/manifests/mariadb.pp @@ -210,6 +210,21 @@ # Only 'replicate' this many rows at a time. $batch_size = 1000 + group { 'eventlog': + ensure => 'present', + system => true, + } + + user { 'eventlogcleaner': + gid => 'eventlog', + shell => '/bin/false', + home => '/nonexistent', + comment => 'EventLogging cleaner user', + system => true, + managehome => false, + require => Group['eventlog'], + } + file { '/usr/local/bin/eventlogging_sync.sh': ensure => present, owner => 'root', diff --git a/modules/role/templates/mariadb/grants/production-m4.sql.erb b/modules/role/templates/mariadb/grants/production-m4.sql.erb index d92395a..dddcf01 100644 --- a/modules/role/templates/mariadb/grants/production-m4.sql.erb +++ b/modules/role/templates/mariadb/grants/production-m4.sql.erb @@ -23,3 +23,9 @@ GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE ON `log`.* TO 'eventlog'@'10.64.32.158'; + + +-- eventlog script responsible to sanitize/delete sensitive data over time + +GRANT ALTER, SELECT, UPDATE + ON `log`.* TO 'eventlogcleaner'@'localhost' IDENTIFIED VIA unix_socket; \ No newline at end of file -- To view, visit https://gerrit.wikimedia.org/r/364412 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I39925ad25eafdce076f8f44ec09865b3c900b4ef Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Elukey <ltosc...@wikimedia.org> Gerrit-Reviewer: Elukey <ltosc...@wikimedia.org> Gerrit-Reviewer: Jcrespo <jcre...@wikimedia.org> Gerrit-Reviewer: Marostegui <maroste...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits