Mysql client->server communication is not yet encrypted in fundraising.
|Open||Dwisehaupt||T170321 encrypt fundraising database client->server communication|
|Open||None||T246823 figure out Buster package for python3-mysql.connector for use with fruec|
|Resolved||Jgreen||T279058 enable SSL database connection for fundraising superset|
SSL capability is available on all dbs. Working though the different tools we have to ensure they use (or can use) ssl connectivity. Then moving onto larger projects such as superset, civi, etc.
Set of commits that have rolled out ssl connectivity on connections for tools using dbs:
17e67c03 Enable ssl for mysql connections with aide tools 3ddf3678 Enable ssl for mysql connections in pfp ba969b91 Document future use of ssl for mysql in check_fundraising_jobs 85d31e96 Revert "Add ssl connection by default for dump_database" be8e101b Add ssl connection by default for dump_database a875afb4 Add ssl connection by default for compact_innodb_table 0131d4a6 Have schema_dumpler default to ssl connections 8fa87562 Add puppet cert files for mysql use on siem role
Pushed this for make_grants to allow the ability to require ssl on user db connections. Not currently enabled for any accounts yet.
[frack::puppet::private] e69d624 Add requires option to user definitions
Replication user on payments db set to require ssl. Grants script pushed and run on payments1001. Replication stopped and started on a subset of hosts and the connection continues. At the mysql.user table level, the change is seen in the ssl_type value.
Before: +-------------+----------+ | User | ssl_type | +-------------+----------+ | replication | | | replication | | +-------------+----------+ After: +-------------+----------+ | User | ssl_type | +-------------+----------+ | replication | ANY | | replication | ANY | +-------------+----------+
Replication user on fundraising db set to require ssl. Grants script pushed and run on frdb1004. Replication stopped and restarted on a set of hosts and the connection succeeded and replication continues. mysql.user table shows updated ssl_type value.
Grant scripts updated to use 'create user or replace' (available since 10.1.3) which will allow us to run the scripts and just update the user accounts without the need to drop and recreate grants if we so desire. Tested with my user account and runsgood.