You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ma...@apache.org on 2018/08/24 09:17:06 UTC

[incubator-openwhisk] branch master updated: Make ansible script to grant database permissions more general. (#3985)

This is an automated email from the ASF dual-hosted git repository.

markusthoemmes pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git


The following commit(s) were added to refs/heads/master by this push:
     new b8107e9  Make ansible script to grant database permissions more general. (#3985)
b8107e9 is described below

commit b8107e96f3de16ee06134539d5a0a766a3b24d66
Author: Christian Bickel <gi...@cbickel.de>
AuthorDate: Fri Aug 24 11:17:01 2018 +0200

    Make ansible script to grant database permissions more general. (#3985)
---
 ansible/tasks/db/createUsers.yml      |  9 +++++++++
 ansible/tasks/db/grantPermissions.yml | 32 ++++++++++++++++++++------------
 2 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/ansible/tasks/db/createUsers.yml b/ansible/tasks/db/createUsers.yml
index 2f2b2c0..f823c39 100644
--- a/ansible/tasks/db/createUsers.yml
+++ b/ansible/tasks/db/createUsers.yml
@@ -4,6 +4,15 @@
 # Create all required users in _users-database
 # http://docs.couchdb.org/en/2.0.0/intro/security.html#users-documents
 
+- name: create _users DB if it doesn't exist yet
+  uri:
+    url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users"
+    method: PUT
+    status_code: 200,201,412
+    user: "{{ db.credentials.admin.user }}"
+    password: "{{ db.credentials.admin.pass }}"
+    force_basic_auth: yes
+
 - name: create required users
   uri:
     url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users/org.couchdb.user:{{ item.value.user }}"
diff --git a/ansible/tasks/db/grantPermissions.yml b/ansible/tasks/db/grantPermissions.yml
index 6ac1b77..b7d1c1b 100644
--- a/ansible/tasks/db/grantPermissions.yml
+++ b/ansible/tasks/db/grantPermissions.yml
@@ -3,20 +3,28 @@
 ---
 # Grant the specified users permissions to the specified database.
 # dbName - name of the database
-# admins - all users with admin access
-# readers - all users that have read access on the database
-# writers - all users that have write access on the database
+# dbHostname - hostname of the database
+# dbAdminUser - admin user, which is able to grant permissions
+# dbAdminPassword - password of the admin user, which is able to grant permissions
+# admins - all users which should have admin access on this database afterwards
+# readers - all users which should have read access on this database afterwards
+# writers - all users which should have write access on this database afterwards
+
+- set_fact:
+    dbUser: "{{ dbAdminUser | default(db.credentials.admin.user) }}"
+    dbPassword: "{{ dbAdminPassword | default(db.credentials.admin.pass) }}"
+    dbHost: "{{ dbHostname | default(db.host) }}"
 
 # If a component uses admin credentials, the admin user will not be added to the list (as it already has all access rights).
 - set_fact:
-    readerList: "{{ readers | default([]) | difference([db.credentials.admin.user]) }}"
-    writerList: "{{ writers | default([]) | difference([db.credentials.admin.user]) }}"
-    adminList: "{{ admins | default([]) | difference([db.credentials.admin.user]) }}"
+    readerList: "{{ readers | default([]) | difference([dbUser]) }}"
+    writerList: "{{ writers | default([]) | difference([dbUser]) }}"
+    adminList: "{{ admins | default([]) | difference([dbUser]) }}"
 
 # http://docs.couchdb.org/en/2.0.0/api/database/security.html
 - name: grant permissions for CouchDB
   uri:
-    url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security"
+    url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security"
     method: PUT
     status_code: 200
     body_format: json
@@ -31,15 +39,15 @@
           "roles": []
         }
       }
-    user: "{{ db.credentials.admin.user }}"
-    password: "{{ db.credentials.admin.pass }}"
+    user: "{{ dbUser }}"
+    password: "{{ dbPassword }}"
     force_basic_auth: yes
   when: db.provider == 'CouchDB'
 
 # https://console.bluemix.net/docs/services/Cloudant/api/authorization.html#authorization
 - name: grant permissions for Cloudant
   uri:
-    url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security"
+    url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security"
     method: PUT
     status_code: 200
     body_format: json
@@ -49,7 +57,7 @@
           {% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %}
         }
       }
-    user: "{{ db.credentials.admin.user }}"
-    password: "{{ db.credentials.admin.pass }}"
+    user: "{{ dbUser }}"
+    password: "{{ dbPassword }}"
     force_basic_auth: yes
   when: db.provider == 'Cloudant'