Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use separate db users for deployed components. #3876

Merged
merged 1 commit into from
Jul 23, 2018
Merged

Use separate db users for deployed components. #3876

merged 1 commit into from
Jul 23, 2018

Conversation

cbickel
Copy link
Contributor

@cbickel cbickel commented Jul 13, 2018

With this PR, each deployed component will get it's own database credentials. On doing this, we are able to set the permissions for each component.
E.g. the invoker does not need write access to the subjects- and the whisks db.

The database users and the permission handling is done on wipedb and initdb.

The db-prefix is part of the usernames. This is to avoid clashes if several Openwhisk instances use the same couchdb/cloudant instance.

Related issue and scope

  • I opened an issue to propose and discuss this change (#????)

My changes affect the following components

  • API
  • Controller
  • Message Bus (e.g., Kafka)
  • Loadbalancer
  • Invoker
  • Intrinsic actions (e.g., sequences, conductors)
  • Data stores (e.g., CouchDB)
  • Tests
  • Deployment
  • CLI
  • General tooling
  • Documentation

Types of changes

  • Bug fix (generally a non-breaking change which closes an issue).
  • Enhancement or new feature (adds new functionality).
  • Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

  • I signed an Apache CLA.
  • I reviewed the style guides and followed the recommendations (Travis CI will check :).
  • I added tests to cover my changes.
  • My changes require further changes to the documentation.
  • I updated the documentation where necessary.

@cbickel cbickel added the wip label Jul 13, 2018
@codecov-io
Copy link

codecov-io commented Jul 13, 2018
edited
Loading

Codecov Report

Merging #3876 into master will decrease coverage by 4.76%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3876      +/-   ##
==========================================
- Coverage   75.72%   70.96%   -4.77%     
==========================================
  Files         145      145              
  Lines        6901     6901              
  Branches      417      417              
==========================================
- Hits         5226     4897     -329     
- Misses       1675     2004     +329
Impacted Files Coverage Δ
...core/database/cosmosdb/RxObservableImplicits.scala 0% <0%> (-100%) ⬇️
...core/database/cosmosdb/CosmosDBArtifactStore.scala 0% <0%> (-95.08%) ⬇️
...sk/core/database/cosmosdb/CosmosDBViewMapper.scala 0% <0%> (-92.6%) ⬇️
...whisk/core/database/cosmosdb/CosmosDBSupport.scala 0% <0%> (-81.82%) ⬇️
...abase/cosmosdb/CosmosDBArtifactStoreProvider.scala 0% <0%> (-58.83%) ⬇️
...la/whisk/core/database/cosmosdb/CosmosDBUtil.scala 92% <0%> (-4%) ⬇️
...rc/main/scala/whisk/common/ForcableSemaphore.scala 88.46% <0%> (+3.84%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b8ffcd...0c7ba39. Read the comment docs.

@cbickel cbickel added review Review for this PR has been requested and yet needs to be done. and removed wip labels Jul 16, 2018
@cbickel cbickel requested a review from vvraskin July 18, 2018 10:04
vvraskin
vvraskin reviewed Jul 19, 2018
View reviewed changes
ansible/tasks/db/grantPermissions.yml
body: |
{
"cloudant": {
{% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

ansible/roles/controller/tasks/deploy.yml
@@ -162,8 +164,8 @@
"CONFIG_whisk_couchdb_protocol": "{{ db.protocol }}"
"CONFIG_whisk_couchdb_host": "{{ db.host }}"
"CONFIG_whisk_couchdb_port": "{{ db.port }}"
"CONFIG_whisk_couchdb_username": "{{ db.credentials.admin.user }}"
"CONFIG_whisk_couchdb_password": "{{ db.credentials.admin.pass }}"
"CONFIG_whisk_couchdb_username": "{{ db.credentials.controller.user }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we perhaps use dbUser and dbPass here?
I think the same could be valid for the invoker as well

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please ignore the comment, discussed it in person

vvraskin
vvraskin approved these changes Jul 20, 2018
View reviewed changes
Copy link
Contributor

@vvraskin vvraskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cbickel
Copy link
Contributor Author

cbickel commented Jul 23, 2018

PG3#2554 🔵

@vvraskin vvraskin merged commit 02660b4 into apache:master Jul 23, 2018
@cbickel cbickel deleted the cdb0 branch July 23, 2018 09:51
@chetanmeh
Copy link
Member

I tried to pickup latest master today and for me ansible tasks were failing with below error

$ ansible-playbook -i environments/local properties.yml 

PLAY [ansible] *******************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************
Monday 30 July 2018  14:29:16 +0530 (0:00:00.276)       0:00:00.276 *********** 
ok: [ansible]

TASK [write whisk.properties template to openwhisk_home] *************************************************************************************************************************************************************************
Monday 30 July 2018  14:29:22 +0530 (0:00:06.372)       0:00:06.649 *********** 
fatal: [ansible]: FAILED! => {"changed": false, "msg": "AnsibleError: An unhandled exception occurred while templating '{u'protocol': u'{{ controllerProtocolForSetup }}', u'extraEnv': u'{{ controller_extraEnv | default({}) }}', u'dir': {u'become': u'{{ controller_dir_become | default(false) }}'}, u'ssl': {u'keystore': {u'path': u'/conf/{{ controllerKeystoreName }}', u'password': u'{{ controllerKeystorePassword }}'}, u'cert': u\"{{ controller_ca_cert | default('controller-openwhisk-server-cert.pem') }}\", u'truststore': {u'path': u'/conf/{{ controllerKeystoreName }}', u'password': u'{{ controllerKeystorePassword }}'}, u'cn': u'openwhisk-controllers', u'key': u\"{{ controller_key | default('controller-openwhisk-server-key.pem') }}\", u'clientAuth': u\"{{ controller_client_auth | default('true') }}\", u'storeFlavor': u'PKCS12'}, u'heap': u\"{{ controller_heap | default('2g') }}\", u'entitlement': {u'spi': u\"{{ controller_entitlement_spi | default('') }}\"}, u'instances': u\"{{ groups['controllers'] | length }}\", u'loglevel': u\"{{ controller_loglevel | default(whisk_loglevel) | default('INFO') }}\", u'timeoutFactor': u'{{ controller_timeout_factor | default(2) }}', u'blackboxFraction': u'{{ controller_blackbox_fraction | default(0.10) }}', u'confdir': u'{{ config_root_dir }}/controller', u'authentication': {u'spi': u\"{{ controller_authentication_spi | default('') }}\"}, u'arguments': u\"{{ controller_arguments | default('') }}\", u'basePort': 10001, u'akka': {u'cluster': {u'bindPort': 2551, u'basePort': 8000, u'host': u\"{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}\", u'seedNodes': u\"{{ groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}\"}, u'provider': u'cluster'}, u'loadbalancer': {u'spi': u\"{{ controller_loadbalancer_spi | default('') }}\"}, u'localBookkeeping': u\"{{ controller_local_bookkeeping | default('false') }}\"}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'ini'. Error was a <class 'ConfigParser.NoSectionError'>, original message: No section: u'controller'"}

AnsibleError: An unhandled exception occurred while templating
'{u'protocol': u'{{ controllerProtocolForSetup }}', u'extraEnv': u'{{
controller_extraEnv | default({}) }}', u'dir': {u'become': u'{{
controller_dir_become | default(false) }}'}, u'ssl': {u'keystore': {u'path':
u'/conf/{{ controllerKeystoreName }}', u'password': u'{{
controllerKeystorePassword }}'}, u'cert': u"{{ controller_ca_cert | default
('controller-openwhisk-server-cert.pem') }}", u'truststore': {u'path':
u'/conf/{{ controllerKeystoreName }}', u'password': u'{{
controllerKeystorePassword }}'}, u'cn': u'openwhisk-controllers', u'key': u"{{
controller_key | default('controller-openwhisk-server-key.pem') }}",
u'clientAuth': u"{{ controller_client_auth | default('true') }}",
u'storeFlavor': u'PKCS12'}, u'heap': u"{{ controller_heap | default('2g') }}",
u'entitlement': {u'spi': u"{{ controller_entitlement_spi | default('') }}"},
u'instances': u"{{ groups['controllers'] | length }}", u'loglevel': u"{{
controller_loglevel | default(whisk_loglevel) | default('INFO') }}",
u'timeoutFactor': u'{{ controller_timeout_factor | default(2) }}',
u'blackboxFraction': u'{{ controller_blackbox_fraction | default(0.10) }}',
u'confdir': u'{{ config_root_dir }}/controller', u'authentication': {u'spi':
u"{{ controller_authentication_spi | default('') }}"}, u'arguments': u"{{
controller_arguments | default('') }}", u'basePort': 10001, u'akka':
{u'cluster': {u'bindPort': 2551, u'basePort': 8000, u'host': u"{{
groups['controllers'] | map('extract', hostvars, 'ansible_host') | list }}",
u'seedNodes': u"{{ groups['controllers'] | map('extract', hostvars,
'ansible_host') | list }}"}, u'provider': u'cluster'}, u'loadbalancer': {u'spi':
u"{{ controller_loadbalancer_spi | default('') }}"}, u'localBookkeeping': u"{{
controller_local_bookkeeping | default('false') }}"}'. Error was a <class
'ansible.errors.AnsibleError'>, original message: An unhandled exception
occurred while running the lookup plugin 'ini'. Error was a <class
'ConfigParser.NoSectionError'>, original message: No section: u'controller'

PLAY RECAP ***********************************************************************************************************************************************************************************************************************
ansible                    : ok=1    changed=0    unreachable=0    failed=1

Apparently that was happening because system already had a db_local.ini present which was not getting regenerated and hence was not having newer section for controller. Deleting the existing local and running wskdev couchdb seems to have resolved the problem

BillZong pushed a commit to BillZong/openwhisk that referenced this pull request Nov 18, 2019
@cbickel @vvraskin
Use separate credentials for controller and invoker. (apache#3876)
4fc97ba
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vvraskin vvraskin vvraskin approved these changes

Assignees

@vvraskin vvraskin

Labels
review Review for this PR has been requested and yet needs to be done.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cbickel @codecov-io @chetanmeh @vvraskin