[james-page,r=gnuoy,r=dosaboy] Fix grant race in access-network configurations.

Ensure that access is not granted until a remote IP address is presented that is in the CIDR for access-network.
2015-09-21 11:02:53 +01:00
parent 8cda02e558 2b3adce73b
commit 8e9ad2a51c
1 changed files with 22 additions and 3 deletions
--- a/hooks/percona_hooks.py
+++ b/hooks/percona_hooks.py
@@ -429,6 +429,9 @@ def shared_db_changed(relation_id=None, unit=None):
    access_network = config('access-network')
    db_helper = get_db_helper()

+    peer_store_and_set(relation_id=relation_id,
+                       relation_settings={'access-network': access_network})
+
    singleset = set(['database', 'username', 'hostname'])
    if singleset.issubset(settings):
        # Process a single database configuration
@@ -436,6 +439,15 @@ def shared_db_changed(relation_id=None, unit=None):
        database = settings['database']
        username = settings['username']

+        normalized_address = get_host_ip(hostname)
+        if access_network and not is_address_in_network(access_network,
+                                                        normalized_address):
+            # NOTE: for configurations using access-network, only setup
+            #       database access if remote unit has presented a
+            #       hostname or ip address thats within the configured
+            #       network cidr
+            return
+
        # NOTE: do this before querying access grants
        password = configure_db_for_hosts(hostname, database, username,
                                          db_helper)
@@ -485,6 +497,16 @@ def shared_db_changed(relation_id=None, unit=None):
                hostname = databases[db]['hostname']
                username = databases[db]['username']

+                normalized_address = get_host_ip(hostname)
+                if (access_network and
+                        not is_address_in_network(access_network,
+                                                  normalized_address)):
+                    # NOTE: for configurations using access-network,
+                    #       only setup database access if remote unit
+                    #       has presented a hostname or ip address
+                    #       thats within the configured network cidr
+                    return
+
                # NOTE: do this before querying access grants
                password = configure_db_for_hosts(hostname, database, username,
                                                  db_helper)
@@ -509,9 +531,6 @@ def shared_db_changed(relation_id=None, unit=None):
        else:
            log("No return data - not setting relation settings", level=DEBUG)

-    peer_store_and_set(relation_id=relation_id,
-                       relation_settings={'access-network': access_network})
-

@hooks.hook('ha-relation-joined')
 def ha_relation_joined():