Added properties 'ssl_type' and 'ssl_cipher' to mysql_user to enable … #792
Conversation
…SSL encrypted authentication.
Added two properties 'ssl_type' and 'ssl_cipher' to mysql_user to allow specifying the required SSL method for the user to log in.
'ssl_type' can take the values '', 'ANY', 'SPECIFIED', or 'X509', which results in no requirement for SSL (''), any SSL-based authentication ('ANY'), SSL-based authentication using a specific cipher ('SPECIFIED'), or authentication using a signed client certificate ('X509').
'ssl_cipher' allows to provide the cipher and requires ssl_type == 'SPECIFIED'.
This is in compliance with the MySQL GRANT syntax, cf. e.g. https://dev.mysql.com/doc/refman/5.6/en/grant.html
The additional properties and corresponding SQL-statements for X509-options are not yet implemented.
Examples:
mysql_user { 'someuser@%':
ensure => 'present',
password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF',
ssl_type => 'ANY'
}
generates
GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE SSL;
for an existing user or inserts the REQUIRE-clause in the GRANT command of the create-method for a new user.
mysql_user { 'someuser@%':
ensure => 'present',
password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF',
ssl_type => 'SPECIFIED',
ssl_cipher => 'EDH-RSA-DES-CBC3-SHA'
}
generates
GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE SSL;
GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
for an existing user or inserts the REQUIRE-clause connected by AND in the GRANT command of the create-method for a new user.
| end | ||
| if !ssl_cipher.empty? | ||
| grant_require << " AND CIPHER '#{ssl_cipher}'" | ||
| end |
There was a problem hiding this comment.
i don't understand why you're validating this here, rather than in the type.
|
@reuterbal thank you very much for this new feature |
| @@ -14,16 +14,16 @@ def self.instances | |||
| users.collect do |name| | |||
| if mysqld_version.nil? | |||
| ## Default ... | |||
| query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'" | |||
| query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, PASSWORD, SSL_TYPE, SSL_CIPHER /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'" | |||
There was a problem hiding this comment.
will this need an annotation like PLUGIN? since when has that been available?
|
Thanks for the contribution @reuterbal. Have you had a chance to look at or address the feedback provided by @igalic? |
|
Hey @reuterbal , thank you for your contribution! We would be interested in having this feature, would you be willing to make the changes that @igalic has suggested? |
|
Hi There Thank you for your efforts. I'm closing this PR due to inactivity. Feel free to open a new PR with the comments addressed if you would still like this feature merged. Thanks! |
…SSL encrypted authentication.
Added two properties 'ssl_type' and 'ssl_cipher' to mysql_user to allow specifying the required SSL method for the user to log in.
'ssl_type' can take the values '', 'ANY', 'SPECIFIED', or 'X509', which results in no requirement for SSL (''), any SSL-based authentication ('ANY'), SSL-based authentication using a specific cipher ('SPECIFIED'), or authentication using a signed client certificate ('X509').
'ssl_cipher' allows to provide the cipher and requires ssl_type == 'SPECIFIED'.
This is in compliance with the MySQL GRANT syntax, cf. e.g. https://dev.mysql.com/doc/refman/5.6/en/grant.html
The additional properties and corresponding SQL-statements for X509-options are not yet implemented.
Examples:
generates
for an existing user or inserts the REQUIRE-clause in the GRANT command of the create-method for a new user.
generates
for an existing user or inserts the REQUIRE-clause connected by AND in the GRANT command of the create-method for a new user.