Skip to content

Added properties 'ssl_type' and 'ssl_cipher' to mysql_user to enable … #792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Added properties 'ssl_type' and 'ssl_cipher' to mysql_user to enable … #792

wants to merge 1 commit into from

Conversation

@reuterbal
Copy link

@reuterbal reuterbal commented Jan 9, 2016

…SSL encrypted authentication.

Added two properties 'ssl_type' and 'ssl_cipher' to mysql_user to allow specifying the required SSL method for the user to log in.
'ssl_type' can take the values '', 'ANY', 'SPECIFIED', or 'X509', which results in no requirement for SSL (''), any SSL-based authentication ('ANY'), SSL-based authentication using a specific cipher ('SPECIFIED'), or authentication using a signed client certificate ('X509').
'ssl_cipher' allows to provide the cipher and requires ssl_type == 'SPECIFIED'.
This is in compliance with the MySQL GRANT syntax, cf. e.g. https://dev.mysql.com/doc/refman/5.6/en/grant.html

The additional properties and corresponding SQL-statements for X509-options are not yet implemented.

Examples:

mysql_user { 'someuser@%':
  ensure        => 'present',
  password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF',
  ssl_type      => 'ANY'
}

generates

  GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE SSL;

for an existing user or inserts the REQUIRE-clause in the GRANT command of the create-method for a new user.

mysql_user { 'someuser@%':
  ensure        => 'present',
  password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF',
  ssl_type      => 'SPECIFIED',
  ssl_cipher    => 'EDH-RSA-DES-CBC3-SHA'
}

generates

  GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE SSL;
  GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';

for an existing user or inserts the REQUIRE-clause connected by AND in the GRANT command of the create-method for a new user.

@reuterbal
Added properties 'ssl_type' and 'ssl_cipher' to mysql_user to enable …
3af33f1 
…SSL encrypted authentication.

Added two properties 'ssl_type' and 'ssl_cipher' to mysql_user to allow specifying the required SSL method for the user to log in.
'ssl_type' can take the values '', 'ANY', 'SPECIFIED', or 'X509', which results in no requirement for SSL (''), any SSL-based authentication ('ANY'), SSL-based authentication using a specific cipher ('SPECIFIED'), or authentication using a signed client certificate ('X509').
'ssl_cipher' allows to provide the cipher and requires ssl_type == 'SPECIFIED'.
This is in compliance with the MySQL GRANT syntax, cf. e.g. https://dev.mysql.com/doc/refman/5.6/en/grant.html

The additional properties and corresponding SQL-statements for X509-options are not yet implemented.

Examples:

mysql_user { 'someuser@%':
  ensure        => 'present',
  password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF',
  ssl_type      => 'ANY'
}

generates

  GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE SSL;

for an existing user or inserts the REQUIRE-clause in the GRANT command of the create-method for a new user.

mysql_user { 'someuser@%':
  ensure        => 'present',
  password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF',
  ssl_type      => 'SPECIFIED',
  ssl_cipher    => 'EDH-RSA-DES-CBC3-SHA'
}

generates

  GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE SSL;
  GRANT USAGE ON *.* TO 'someuser'@'%' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';

for an existing user or inserts the REQUIRE-clause connected by AND in the GRANT command of the create-method for a new user.
igalic
igalic reviewed Jan 11, 2016
View reviewed changes
lib/puppet/provider/mysql_user/mysql.rb
Copy link
Contributor

@igalic igalic Jan 11, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't understand why you're validating this here, rather than in the type.

@igalic
Copy link
Contributor

igalic commented Jan 11, 2016

@reuterbal thank you very much for this new feature
however, as a new feature it will need documentation
as well as an upgrade to the tests, which are failing now

igalic
igalic reviewed Jan 11, 2016
View reviewed changes
lib/puppet/provider/mysql_user/mysql.rb
Copy link
Contributor

@igalic igalic Jan 11, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will this need an annotation like PLUGIN? since when has that been available?

@bmjen
Copy link
Contributor

bmjen commented Feb 4, 2016

Thanks for the contribution @reuterbal. Have you had a chance to look at or address the feedback provided by @igalic?

@HelenCampbell
Copy link
Contributor

HelenCampbell commented Mar 8, 2016

Hey @reuterbal , thank you for your contribution! We would be interested in having this feature, would you be willing to make the changes that @igalic has suggested?

@jonnytdevops
Copy link
Contributor

jonnytdevops commented Mar 24, 2016

Hi There

Thank you for your efforts.

I'm closing this PR due to inactivity. Feel free to open a new PR with the comments addressed if you would still like this feature merged.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-docs needs-tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@reuterbal @igalic @bmjen @HelenCampbell @jonnytdevops