[openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes

Roman Podoliaka rpodolyaka at mirantis.com
Wed Feb 26 09:54:37 UTC 2014 

Hi Clark,

>>> I think we can safely GRANT ALL on *.* to openstack_citest at localhost and call that good enough
Works for me.

Thanks,
Roman

On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan <clark.boylan at gmail.com> wrote:
> On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka
> <rpodolyaka at mirantis.com> wrote:
>> Hi all,
>>
>> [1] made it possible for openstack_citest MySQL user to create new
>> databases in tests on demand (which is very useful for parallel
>> running of tests on MySQL and PostgreSQL, thank you, guys!).
>>
>> Unfortunately, openstack_citest user can only create tables in the
>> created databases, but not to perform SELECT/UPDATE/INSERT queries.
>> Please see the bug [2] filed by Joshua Harlow.
>>
>> In PostgreSQL the user who creates a database, becomes the owner of
>> the database (and can do everything within this database), and in
>> MySQL we have to GRANT those privileges explicitly. But
>> openstack_citest doesn't have the permission to do GRANT (even on its
>> own databases).
>>
>> I think, we could overcome this issue by doing something like this
>> while provisioning a node:
>> GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to
>> 'openstack_citest'@'localhost';
>>
>> and then create databases giving them names starting with the prefix value.
>>
>> Is it an acceptable solution? Or am I missing something?
>>
>> Thanks,
>> Roman
>>
>> [1] https://review.openstack.org/#/c/69519/
>> [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> The problem with the prefix approach is it doesn't scale. At some
> point we will decide we need a new prefix then a third and so on
> (which is basically what happened at the schema level). That said we
> recently switched to using single use slaves for all unittesting so I
> think we can safely GRANT ALL on *.* to openstack_citest at localhost and
> call that good enough. This should work fine for upstream testing but
> may not be super friendly to others using the puppet manifests on
> permanent slaves. We can wrap the GRANT in a condition in puppet that
> is set only on single use slaves if this is a problem.
>
> Clark
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list