openstack/charm-percona-cluster
Code Issues Proposed changes

[james-page,r=gnuoy,r=dosaboy] Fix grant race in access-network configurations.

Browse Source 
Ensure that access is not granted until a remote IP address is presented that is in the CIDR for access-network.
This commit is contained in:
James Page
2015-09-21 11:02:53 +01:00
parent 8cda02e558 2b3adce73b
commit 8e9ad2a51c
1 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
hooks/percona_hooks.py
View File

@@ -429,6 +429,9 @@ def shared_db_changed(relation_id=None, unit=None):
access_network = config('access-network') access_network = config('access-network')
db_helper = get_db_helper() db_helper = get_db_helper()
peer_store_and_set(relation_id=relation_id,
relation_settings={'access-network': access_network})
singleset = set(['database', 'username', 'hostname']) singleset = set(['database', 'username', 'hostname'])
if singleset.issubset(settings): if singleset.issubset(settings):
# Process a single database configuration # Process a single database configuration
@@ -436,6 +439,15 @@ def shared_db_changed(relation_id=None, unit=None):
database = settings['database'] database = settings['database']
username = settings['username'] username = settings['username']
normalized_address = get_host_ip(hostname)
if access_network and not is_address_in_network(access_network,
normalized_address):
# NOTE: for configurations using access-network, only setup
# database access if remote unit has presented a
# hostname or ip address thats within the configured
# network cidr
return
# NOTE: do this before querying access grants # NOTE: do this before querying access grants
password = configure_db_for_hosts(hostname, database, username, password = configure_db_for_hosts(hostname, database, username,
db_helper) db_helper)
@@ -485,6 +497,16 @@ def shared_db_changed(relation_id=None, unit=None):
hostname = databases[db]['hostname'] hostname = databases[db]['hostname']
username = databases[db]['username'] username = databases[db]['username']
normalized_address = get_host_ip(hostname)
if (access_network and
not is_address_in_network(access_network,
normalized_address)):
# NOTE: for configurations using access-network,
# only setup database access if remote unit
# has presented a hostname or ip address
# thats within the configured network cidr
return
# NOTE: do this before querying access grants # NOTE: do this before querying access grants
password = configure_db_for_hosts(hostname, database, username, password = configure_db_for_hosts(hostname, database, username,
db_helper) db_helper)
@@ -509,9 +531,6 @@ def shared_db_changed(relation_id=None, unit=None):
else: else:
log("No return data - not setting relation settings", level=DEBUG) log("No return data - not setting relation settings", level=DEBUG)
peer_store_and_set(relation_id=relation_id,
relation_settings={'access-network': access_network})
@hooks.hook('ha-relation-joined') @hooks.hook('ha-relation-joined')
def ha_relation_joined(): def ha_relation_joined():