You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ma...@apache.org on 2018/08/24 09:17:06 UTC
[incubator-openwhisk] branch master updated: Make ansible script to
grant database permissions more general. (#3985)
This is an automated email from the ASF dual-hosted git repository.
markusthoemmes pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new b8107e9 Make ansible script to grant database permissions more general. (#3985)
b8107e9 is described below
commit b8107e96f3de16ee06134539d5a0a766a3b24d66
Author: Christian Bickel <gi...@cbickel.de>
AuthorDate: Fri Aug 24 11:17:01 2018 +0200
Make ansible script to grant database permissions more general. (#3985)
---
ansible/tasks/db/createUsers.yml | 9 +++++++++
ansible/tasks/db/grantPermissions.yml | 32 ++++++++++++++++++++------------
2 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/ansible/tasks/db/createUsers.yml b/ansible/tasks/db/createUsers.yml
index 2f2b2c0..f823c39 100644
--- a/ansible/tasks/db/createUsers.yml
+++ b/ansible/tasks/db/createUsers.yml
@@ -4,6 +4,15 @@
# Create all required users in _users-database
# http://docs.couchdb.org/en/2.0.0/intro/security.html#users-documents
+- name: create _users DB if it doesn't exist yet
+ uri:
+ url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users"
+ method: PUT
+ status_code: 200,201,412
+ user: "{{ db.credentials.admin.user }}"
+ password: "{{ db.credentials.admin.pass }}"
+ force_basic_auth: yes
+
- name: create required users
uri:
url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users/org.couchdb.user:{{ item.value.user }}"
diff --git a/ansible/tasks/db/grantPermissions.yml b/ansible/tasks/db/grantPermissions.yml
index 6ac1b77..b7d1c1b 100644
--- a/ansible/tasks/db/grantPermissions.yml
+++ b/ansible/tasks/db/grantPermissions.yml
@@ -3,20 +3,28 @@
---
# Grant the specified users permissions to the specified database.
# dbName - name of the database
-# admins - all users with admin access
-# readers - all users that have read access on the database
-# writers - all users that have write access on the database
+# dbHostname - hostname of the database
+# dbAdminUser - admin user, which is able to grant permissions
+# dbAdminPassword - password of the admin user, which is able to grant permissions
+# admins - all users which should have admin access on this database afterwards
+# readers - all users which should have read access on this database afterwards
+# writers - all users which should have write access on this database afterwards
+
+- set_fact:
+ dbUser: "{{ dbAdminUser | default(db.credentials.admin.user) }}"
+ dbPassword: "{{ dbAdminPassword | default(db.credentials.admin.pass) }}"
+ dbHost: "{{ dbHostname | default(db.host) }}"
# If a component uses admin credentials, the admin user will not be added to the list (as it already has all access rights).
- set_fact:
- readerList: "{{ readers | default([]) | difference([db.credentials.admin.user]) }}"
- writerList: "{{ writers | default([]) | difference([db.credentials.admin.user]) }}"
- adminList: "{{ admins | default([]) | difference([db.credentials.admin.user]) }}"
+ readerList: "{{ readers | default([]) | difference([dbUser]) }}"
+ writerList: "{{ writers | default([]) | difference([dbUser]) }}"
+ adminList: "{{ admins | default([]) | difference([dbUser]) }}"
# http://docs.couchdb.org/en/2.0.0/api/database/security.html
- name: grant permissions for CouchDB
uri:
- url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security"
+ url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security"
method: PUT
status_code: 200
body_format: json
@@ -31,15 +39,15 @@
"roles": []
}
}
- user: "{{ db.credentials.admin.user }}"
- password: "{{ db.credentials.admin.pass }}"
+ user: "{{ dbUser }}"
+ password: "{{ dbPassword }}"
force_basic_auth: yes
when: db.provider == 'CouchDB'
# https://console.bluemix.net/docs/services/Cloudant/api/authorization.html#authorization
- name: grant permissions for Cloudant
uri:
- url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security"
+ url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security"
method: PUT
status_code: 200
body_format: json
@@ -49,7 +57,7 @@
{% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %}
}
}
- user: "{{ db.credentials.admin.user }}"
- password: "{{ db.credentials.admin.pass }}"
+ user: "{{ dbUser }}"
+ password: "{{ dbPassword }}"
force_basic_auth: yes
when: db.provider == 'Cloudant'