1#!/usr/bin/python 2# Copyright (c) 2014 The Chromium OS Authors. All rights reserved. 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6"""Bootstrap mysql. 7 8The purpose of this module is to grant access to a new-user/host/password 9combination on a remote db server. For example, if we were bootstrapping 10a new autotest master A1 with a remote database server A2, the scheduler 11running on A1 needs to access the database on A2 with the credentials 12specified in the shadow_config of A1 (A1_user, A1_pass). To achieve this 13we ssh into A2 and execute the grant privileges command for (A1_user, 14A1_pass, A1_host). If OTOH the db server is running locally we only need 15to grant permissions for (A1_user, A1_pass, localhost). 16 17The operation to achieve this will look like: 18 ssh/become into A2 19 Execute mysql -u <default_user> -p<default_pass> -e 20 "GRANT privileges on <db> to 'A1_user'@A1 identified by 'A1_pass';" 21 22However this will only grant the right access permissions to A1, so we need 23to repeat for all subsequent db clients we add. This will happen through puppet. 24 25In the case of a vagrant cluster, a remote vm cannot ssh into the db server 26vm with plain old ssh. However, the entire vm cluster is provisioned at the 27same time, so we can grant access to all remote vm clients directly on the 28database server without knowing their ips by using the ip of the gateway. 29This works because the db server vm redirects its database port (3306) to 30a predefined port (defined in the vagrant file, defaults to 8002), and all 31other vms in the cluster can only access it through the vm host identified 32by the gateway. 33 34The operation to achieve this will look like: 35 Provision the vagrant db server 36 Execute mysql -u <default_user> -p<default_pass> -e 37 "GRANT privileges on <db> to 'A1_user'@(gateway address) 38 identified by 'A1_pass';" 39This will grant the right access permissions to all vms running on the 40host machine as long as they use the right port to access the database. 41""" 42 43import argparse 44import logging 45import socket 46import subprocess 47import sys 48 49import common 50 51from autotest_lib.client.common_lib import global_config 52from autotest_lib.client.common_lib import utils 53from autotest_lib.site_utils.lib import infra 54 55 56class MySQLCommandError(Exception): 57 """Generic mysql command execution exception.""" 58 59 60class MySQLCommandExecutor(object): 61 """Class to shell out to mysql. 62 63 USE THIS CLASS WITH CARE. It doesn't protect against SQL injection on 64 assumption that anyone with access to our servers can run the same 65 commands directly instead of through this module. Do not expose it 66 through a webserver, it is meant solely as a utility module to allow 67 easy database bootstrapping via puppet. 68 """ 69 70 DEFAULT_USER = global_config.global_config.get_config_value( 71 'AUTOTEST_WEB', 'default_db_user', default='root') 72 73 DEFAULT_PASS = global_config.global_config.get_config_value( 74 'AUTOTEST_WEB', 'default_db_pass', default='autotest') 75 76 77 @classmethod 78 def mysql_cmd(cls, cmd, user=DEFAULT_USER, password=DEFAULT_PASS, 79 host='localhost', port=3306): 80 """Wrap the given mysql command. 81 82 @param cmd: The mysql command to wrap with the --execute option. 83 @param host: The host against which to run the command. 84 @param user: The user to use in the given command. 85 @param password: The password for the user. 86 @param port: The port mysql server is listening on. 87 """ 88 return ('mysql -u %s -p%s --host %s --port %s -e "%s"' % 89 (user, password, host, port, cmd)) 90 91 92 @staticmethod 93 def execute(dest_server, full_cmd): 94 """Execute a mysql statement on a remote server by sshing into it. 95 96 @param dest_server: The hostname of the remote mysql server. 97 @param full_cmd: The full mysql command to execute. 98 99 @raises MySQLCommandError: If the full_cmd failed on dest_server. 100 """ 101 try: 102 return infra.execute_command(dest_server, full_cmd) 103 except subprocess.CalledProcessError as e: 104 raise MySQLCommandError('Failed to execute %s against %s' % 105 (full_cmd, dest_server)) 106 107 108 @classmethod 109 def ping(cls, db_server, user=DEFAULT_USER, password=DEFAULT_PASS, 110 use_ssh=False): 111 """Ping the given db server as 'user' using 'password'. 112 113 @param db_server: The host running the mysql server. 114 @param user: The user to use in the ping. 115 @param password: The password of the user. 116 @param use_ssh: If False, the command is executed on localhost 117 by supplying --host=db_server in the mysql command. Otherwise we 118 ssh/become into the db_server and execute the command with 119 --host=localhost. 120 121 @raises MySQLCommandError: If the ping command fails. 122 """ 123 if use_ssh: 124 ssh_dest_server = db_server 125 mysql_cmd_host = 'localhost' 126 else: 127 ssh_dest_server = 'localhost' 128 mysql_cmd_host = db_server 129 ping = cls.mysql_cmd( 130 'SELECT version();', host=mysql_cmd_host, user=user, 131 password=password) 132 cls.execute(ssh_dest_server, ping) 133 134 135def bootstrap(user, password, source_host, dest_host): 136 """Bootstrap the given user against dest_host. 137 138 Allow a user from source_host to access the db server running on 139 dest_host. 140 141 @param user: The user to bootstrap. 142 @param password: The password for the user. 143 @param source_host: The host from which the new user will access the db. 144 @param dest_host: The hostname of the remote db server. 145 146 @raises MySQLCommandError: If we can't ping the db server using the default 147 user/password specified in the shadow_config under default_db_*, or 148 we can't ping it with the new credentials after bootstrapping. 149 """ 150 # Confirm ssh/become access. 151 try: 152 infra.execute_command(dest_host, 'echo "hello"') 153 except subprocess.CalledProcessError as e: 154 logging.error("Cannot become/ssh into dest host. You need to bootstrap " 155 "it using fab -H <hostname> bootstrap from the " 156 "chromeos-admin repo.") 157 return 158 # Confirm the default user has at least database read privileges. Note if 159 # the default user has *only* read privileges everything else will still 160 # fail. This is a remote enough case given our current setup that we can 161 # avoid more complicated checking at this level. 162 MySQLCommandExecutor.ping(dest_host, use_ssh=True) 163 164 # Prepare and execute the grant statement for the new user. 165 creds = { 166 'new_user': user, 167 'new_pass': password, 168 'new_host': source_host, 169 } 170 # TODO(beeps): Restrict these permissions. For now we have a couple of 171 # databases which may/may-not exist on various roles that need refactoring. 172 grant_privileges = ( 173 "GRANT ALL PRIVILEGES ON *.* to '%(new_user)s'@'%(new_host)s' " 174 "IDENTIFIED BY '%(new_pass)s'; FLUSH PRIVILEGES;") 175 MySQLCommandExecutor.execute( 176 dest_host, MySQLCommandExecutor.mysql_cmd(grant_privileges % creds)) 177 178 # Confirm the new user can ping the remote database server from localhost. 179 MySQLCommandExecutor.ping( 180 dest_host, user=user, password=password, use_ssh=False) 181 182 183def get_gateway(): 184 """Return the address of the default gateway. 185 186 @raises: subprocess.CalledProcessError: If the address of the gateway 187 cannot be determined via netstat. 188 """ 189 cmd = 'netstat -rn | grep "^0.0.0.0 " | cut -d " " -f10 | head -1' 190 try: 191 return infra.execute_command('localhost', cmd).rstrip('\n') 192 except subprocess.CalledProcessError as e: 193 logging.error('Unable to get gateway: %s', e) 194 raise 195 196 197def _parse_args(args): 198 parser = argparse.ArgumentParser(description='A script to bootstrap mysql ' 199 'with credentials from the shadow_config.') 200 parser.add_argument( 201 '--enable_gateway', action='store_true', dest='enable_gateway', 202 default=False, help='Enable gateway access for vagrant testing.') 203 return parser.parse_args(args) 204 205 206def main(argv): 207 """Main bootstrapper method. 208 209 Grants permissions to the appropriate user on localhost, then enables the 210 access through the gateway if --enable_gateway is specified. 211 """ 212 args = _parse_args(argv) 213 dest_host = global_config.global_config.get_config_value( 214 'AUTOTEST_WEB', 'host') 215 user = global_config.global_config.get_config_value( 216 'AUTOTEST_WEB', 'user') 217 password = global_config.global_config.get_config_value( 218 'AUTOTEST_WEB', 'password') 219 220 # For access via localhost, one needs to specify localhost as the hostname. 221 # Neither the ip or the actual hostname of localhost will suffice in 222 # mysql version 5.5, without complications. 223 local_hostname = ('localhost' if utils.is_localhost(dest_host) 224 else socket.gethostname()) 225 logging.info('Bootstrapping user %s on host %s against db server %s', 226 user, local_hostname, dest_host) 227 bootstrap(user, password, local_hostname, dest_host) 228 229 if args.enable_gateway: 230 gateway = get_gateway() 231 logging.info('Enabling access through gateway %s', gateway) 232 bootstrap(user, password, gateway, dest_host) 233 234 235if __name__ == '__main__': 236 sys.exit(main(sys.argv[1:])) 237