Page MenuHomePhabricator
Create Task
Maniphest T347381

Support maintain-dbusers on the new network layout
Closed, ResolvedPublic
Actions

Description

Deploy new firewall rules and grants for new cloudcontrol private IPs.

Details

SubjectRepoBranchLines +/-
wiki-replicas: Update IP address for cloudcontrol1006operations/puppetproduction+5 -5
wiki-replicas: Add CREATE USER and GRANT OPTION to labsdbadminoperations/puppetproduction+3 -3
hieradata: move maintain-dbusers to cloudcontrol1005operations/puppetproduction+2 -2
cr-labs: Permit dbproxy access for wiki replica metadata databaseoperations/homer/publicmaster+8 -0
Allow cloudcontrol1005 and 1007 to connect to wiki replicasoperations/puppetproduction+18 -10
cr-labs: Permit wiki replica account creation related flowsoperations/homer/publicmaster+10 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Sep 26 2023, 9:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 26 2023, 9:17 AM
gerritbot added a comment.Sep 26 2023, 9:31 AM

Change 961055 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/homer/public@master] cr-labs: Permit wiki replica account creation related flows

https://gerrit.wikimedia.org/r/961055

gerritbot added a project: Patch-For-Review.Sep 26 2023, 9:31 AM
gerritbot added a comment.Sep 26 2023, 10:03 AM

Change 961055 merged by jenkins-bot:

[operations/homer/public@master] cr-labs: Permit wiki replica account creation related flows

https://gerrit.wikimedia.org/r/961055

Stashbot added a comment.Sep 26 2023, 10:03 AM

Mentioned in SAL (#wikimedia-operations) [2023-09-26T10:03:47Z] <taavi> update CR firewall policy to permit wiki replica account creation in the new cloud-private network setup, https://gerrit.wikimedia.org/r/961055 T347381

Maintenance_bot removed a project: Patch-For-Review.Sep 26 2023, 10:10 AM
gerritbot added a comment.Sep 26 2023, 10:27 AM

Change 961068 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] Allow cloudcontrol1005 and 1007 to connect to wiki replicas

https://gerrit.wikimedia.org/r/961068

gerritbot added a project: Patch-For-Review.Sep 26 2023, 10:27 AM
dr0ptp4kt subscribed.Sep 26 2023, 1:57 PM
dr0ptp4kt added subscribers: Andrew, Marostegui.Sep 26 2023, 4:07 PM
taavi updated the task description. (Show Details)Sep 26 2023, 4:16 PM
Marostegui added a project: Data-Persistence (work done).Sep 27 2023, 8:44 AM

I have created the users requested on that patch, even though I have -1 it as it needs something else anyways.
Does that labsadmin user also needs a password? Keep in mind it is being assigned to a role, if so, please let me know where it is

gerritbot added a comment.Sep 27 2023, 9:00 AM

Change 961336 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/homer/public@master] cr-labs: Permit dbproxy access for wiki replica metadata database

https://gerrit.wikimedia.org/r/961336

gerritbot added a comment.Sep 27 2023, 9:22 AM

Change 961068 merged by Majavah:

[operations/puppet@production] Allow cloudcontrol1005 and 1007 to connect to wiki replicas

https://gerrit.wikimedia.org/r/961068

Marostegui added a comment.Sep 27 2023, 9:24 AM

Grants added across all the replicas, this is how they look now:

root@clouddb1013.eqiad.wmnet[(none)]> show grants for 'labsdbadmin'@'10.64.148.21';
+-----------------------------------------------------------------------------------------------------------------------+
| Grants for labsdbadmin@10.64.148.21                                                                                   |
+-----------------------------------------------------------------------------------------------------------------------+
| GRANT `labsdbuser` TO `labsdbadmin`@`10.64.148.21` WITH ADMIN OPTION                                                  |
| GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.148.21` IDENTIFIED BY PASSWORD '*xx' |
| GRANT SELECT, INSERT, UPDATE ON `mysql`.* TO `labsdbadmin`@`10.64.148.21`                                             |
| GRANT SELECT, SHOW VIEW ON `%wik%`.* TO `labsdbadmin`@`10.64.148.21`                                                  |
| GRANT SELECT, SHOW VIEW ON `%\_p`.* TO `labsdbadmin`@`10.64.148.21` WITH GRANT OPTION                                 |
+-----------------------------------------------------------------------------------------------------------------------+
5 rows in set (0.001 sec)

root@clouddb1013.eqiad.wmnet[(none)]> show grants for 'labsdbadmin'@'10.64.151.3';
+----------------------------------------------------------------------------------------------------------------------+
| Grants for labsdbadmin@10.64.151.3                                                                                   |
+----------------------------------------------------------------------------------------------------------------------+
| GRANT `labsdbuser` TO `labsdbadmin`@`10.64.151.3` WITH ADMIN OPTION                                                  |
| GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.151.3` IDENTIFIED BY PASSWORD '*xx' |
| GRANT SELECT, INSERT, UPDATE ON `mysql`.* TO `labsdbadmin`@`10.64.151.3`                                             |
| GRANT SELECT, SHOW VIEW ON `%wik%`.* TO `labsdbadmin`@`10.64.151.3`                                                  |
| GRANT SELECT, SHOW VIEW ON `%\_p`.* TO `labsdbadmin`@`10.64.151.3` WITH GRANT OPTION                                 |
+----------------------------------------------------------------------------------------------------------------------+
5 rows in set (0.000 sec)
gerritbot added a comment.Sep 27 2023, 9:26 AM

Change 961345 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] hieradata: move maintain-dbusers to cloudcontrol1005

https://gerrit.wikimedia.org/r/961345

gerritbot added a comment.Sep 27 2023, 9:29 AM

Change 961336 merged by jenkins-bot:

[operations/homer/public@master] cr-labs: Permit dbproxy access for wiki replica metadata database

https://gerrit.wikimedia.org/r/961336

gerritbot added a comment.Sep 27 2023, 9:36 AM

Change 961345 merged by Majavah:

[operations/puppet@production] hieradata: move maintain-dbusers to cloudcontrol1005

https://gerrit.wikimedia.org/r/961345

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2023, 10:10 AM
taavi added a comment.Sep 27 2023, 11:26 AM

Account creation using the new grants is failing with a permission error. I noticed a difference in the old and new grants:

GRANT SUPER, CREATE USER ON *.* TO `labsdbadmin`@`208.80.154.149` IDENTIFIED BY PASSWORD '[redacted]' WITH GRANT OPTION
GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.151.3` IDENTIFIED BY PASSWORD '[redacted]'

So the new grants and the SQL file in Puppet are missing the CREATE USER priv and the WITH GRANT OPTION modifier. I'll submit a patch to document that those are required.

gerritbot added a comment.Sep 27 2023, 11:26 AM

Change 961366 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] wiki-replicas: Add CREATE USER and GRANT OPTION to labsdbadmin

https://gerrit.wikimedia.org/r/961366

gerritbot added a project: Patch-For-Review.Sep 27 2023, 11:26 AM
gerritbot added a comment.Sep 27 2023, 4:44 PM

Change 961366 merged by Marostegui:

[operations/puppet@production] wiki-replicas: Add CREATE USER and GRANT OPTION to labsdbadmin

https://gerrit.wikimedia.org/r/961366

Marostegui added a comment.Sep 27 2023, 4:45 PM
In T347381#9202706, @taavi wrote:

Account creation using the new grants is failing with a permission error. I noticed a difference in the old and new grants:

GRANT SUPER, CREATE USER ON *.* TO `labsdbadmin`@`208.80.154.149` IDENTIFIED BY PASSWORD '[redacted]' WITH GRANT OPTION
GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.151.3` IDENTIFIED BY PASSWORD '[redacted]'

So the new grants and the SQL file in Puppet are missing the CREATE USER priv and the WITH GRANT OPTION modifier. I'll submit a patch to document that those are required.

I have added that grant

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2023, 5:10 PM
gerritbot added a comment.Oct 10 2023, 9:43 AM

Change 964871 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] wiki-replicas: Update IP address for cloudcontrol1006

https://gerrit.wikimedia.org/r/964871

gerritbot added a project: Patch-For-Review.Oct 10 2023, 9:43 AM
gerritbot added a comment.Nov 15 2023, 10:45 AM

Change 964871 merged by Majavah:

[operations/puppet@production] wiki-replicas: Update IP address for cloudcontrol1006

https://gerrit.wikimedia.org/r/964871

Maintenance_bot removed a project: Patch-For-Review.Nov 15 2023, 11:10 AM
taavi closed this task as Resolved.Nov 20 2023, 12:36 PM
fnegri moved this task from Backlog to Done on the cloud-services-team (FY2023/2024-Q1-Q2) board.Jan 3 2024, 10:38 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits