Deploy new firewall rules and grants for new cloudcontrol private IPs.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | aborrero | T296411 cloud: decide on general idea for having cloud-dedicated hardware provide service in the cloud realm & the internet | |||
Resolved | aborrero | T297596 have cloud hardware servers in the cloud realm using a dedicated LB layer | |||
Resolved | • taavi | T341060 openstack eqiad1: introduce cloud-private and cloudlb | |||
Resolved | Jclark-ctr | T341494 cloud @ eqiad: hardware re-racking plan | |||
Resolved | • taavi | T346891 cloudcontrol1006: move to new network setup | |||
Resolved | • taavi | T347381 Support maintain-dbusers on the new network layout |
Event Timeline
Change 961055 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/homer/public@master] cr-labs: Permit wiki replica account creation related flows
Change 961055 merged by jenkins-bot:
[operations/homer/public@master] cr-labs: Permit wiki replica account creation related flows
Mentioned in SAL (#wikimedia-operations) [2023-09-26T10:03:47Z] <taavi> update CR firewall policy to permit wiki replica account creation in the new cloud-private network setup, https://gerrit.wikimedia.org/r/961055 T347381
Change 961068 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] Allow cloudcontrol1005 and 1007 to connect to wiki replicas
I have created the users requested on that patch, even though I have -1 it as it needs something else anyways.
Does that labsadmin user also needs a password? Keep in mind it is being assigned to a role, if so, please let me know where it is
Change 961336 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/homer/public@master] cr-labs: Permit dbproxy access for wiki replica metadata database
Change 961068 merged by Majavah:
[operations/puppet@production] Allow cloudcontrol1005 and 1007 to connect to wiki replicas
Grants added across all the replicas, this is how they look now:
root@clouddb1013.eqiad.wmnet[(none)]> show grants for 'labsdbadmin'@'10.64.148.21'; +-----------------------------------------------------------------------------------------------------------------------+ | Grants for labsdbadmin@10.64.148.21 | +-----------------------------------------------------------------------------------------------------------------------+ | GRANT `labsdbuser` TO `labsdbadmin`@`10.64.148.21` WITH ADMIN OPTION | | GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.148.21` IDENTIFIED BY PASSWORD '*xx' | | GRANT SELECT, INSERT, UPDATE ON `mysql`.* TO `labsdbadmin`@`10.64.148.21` | | GRANT SELECT, SHOW VIEW ON `%wik%`.* TO `labsdbadmin`@`10.64.148.21` | | GRANT SELECT, SHOW VIEW ON `%\_p`.* TO `labsdbadmin`@`10.64.148.21` WITH GRANT OPTION | +-----------------------------------------------------------------------------------------------------------------------+ 5 rows in set (0.001 sec) root@clouddb1013.eqiad.wmnet[(none)]> show grants for 'labsdbadmin'@'10.64.151.3'; +----------------------------------------------------------------------------------------------------------------------+ | Grants for labsdbadmin@10.64.151.3 | +----------------------------------------------------------------------------------------------------------------------+ | GRANT `labsdbuser` TO `labsdbadmin`@`10.64.151.3` WITH ADMIN OPTION | | GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.151.3` IDENTIFIED BY PASSWORD '*xx' | | GRANT SELECT, INSERT, UPDATE ON `mysql`.* TO `labsdbadmin`@`10.64.151.3` | | GRANT SELECT, SHOW VIEW ON `%wik%`.* TO `labsdbadmin`@`10.64.151.3` | | GRANT SELECT, SHOW VIEW ON `%\_p`.* TO `labsdbadmin`@`10.64.151.3` WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------------------------+ 5 rows in set (0.000 sec)
Change 961345 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] hieradata: move maintain-dbusers to cloudcontrol1005
Change 961336 merged by jenkins-bot:
[operations/homer/public@master] cr-labs: Permit dbproxy access for wiki replica metadata database
Change 961345 merged by Majavah:
[operations/puppet@production] hieradata: move maintain-dbusers to cloudcontrol1005
Account creation using the new grants is failing with a permission error. I noticed a difference in the old and new grants:
GRANT SUPER, CREATE USER ON *.* TO `labsdbadmin`@`208.80.154.149` IDENTIFIED BY PASSWORD '[redacted]' WITH GRANT OPTION GRANT SUPER ON *.* TO `labsdbadmin`@`10.64.151.3` IDENTIFIED BY PASSWORD '[redacted]'
So the new grants and the SQL file in Puppet are missing the CREATE USER priv and the WITH GRANT OPTION modifier. I'll submit a patch to document that those are required.
Change 961366 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] wiki-replicas: Add CREATE USER and GRANT OPTION to labsdbadmin
Change 961366 merged by Marostegui:
[operations/puppet@production] wiki-replicas: Add CREATE USER and GRANT OPTION to labsdbadmin
Change 964871 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] wiki-replicas: Update IP address for cloudcontrol1006
Change 964871 merged by Majavah:
[operations/puppet@production] wiki-replicas: Update IP address for cloudcontrol1006