[openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Roman Podoliaka
rpodolyaka at mirantis.com
Fri Feb 28 14:15:08 UTC 2014
Hi all,
Just a FYI note, not whining :)
Still failing with 'command denied':
http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/877792b/console.html
Thanks,
Roman
On Fri, Feb 28, 2014 at 1:41 PM, Sergey Lukjanov <slukjanov at mirantis.com> wrote:
> Slave images are auto rebuilt daily, so, probably, it's not happens
> yet for all providers.
>
> Anyway I see the following in nodepool logs:
>
> 2014-02-28 02:24:09,255 INFO
> nodepool.image.build.rax-ord.bare-precise: [0;36mnotice:
> /Stage[main]/Jenkins::Slave/Mysql::Db[openstack_citest]/Database_grant[openstack_citest at localhost/openstack_citest]/privileges:
> privileges changed '' to 'all' [0m
>
> On Fri, Feb 28, 2014 at 12:28 PM, Roman Podoliaka
> <rpodolyaka at mirantis.com> wrote:
>> Hi Clark, all,
>>
>> https://review.openstack.org/#/c/76634/ has been merged, but I still
>> get 'command denied' errors [1].
>>
>> Is there something else, that must be done before we can use new
>> privileges of openstack_citest user?
>>
>> Thanks,
>> Roman
>>
>> [1] http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/e115a5f/console.html
>>
>> On Wed, Feb 26, 2014 at 11:54 AM, Roman Podoliaka
>> <rpodolyaka at mirantis.com> wrote:
>>> Hi Clark,
>>>
>>>>>> I think we can safely GRANT ALL on *.* to openstack_citest at localhost and call that good enough
>>> Works for me.
>>>
>>> Thanks,
>>> Roman
>>>
>>> On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan <clark.boylan at gmail.com> wrote:
>>>> On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka
>>>> <rpodolyaka at mirantis.com> wrote:
>>>>> Hi all,
>>>>>
>>>>> [1] made it possible for openstack_citest MySQL user to create new
>>>>> databases in tests on demand (which is very useful for parallel
>>>>> running of tests on MySQL and PostgreSQL, thank you, guys!).
>>>>>
>>>>> Unfortunately, openstack_citest user can only create tables in the
>>>>> created databases, but not to perform SELECT/UPDATE/INSERT queries.
>>>>> Please see the bug [2] filed by Joshua Harlow.
>>>>>
>>>>> In PostgreSQL the user who creates a database, becomes the owner of
>>>>> the database (and can do everything within this database), and in
>>>>> MySQL we have to GRANT those privileges explicitly. But
>>>>> openstack_citest doesn't have the permission to do GRANT (even on its
>>>>> own databases).
>>>>>
>>>>> I think, we could overcome this issue by doing something like this
>>>>> while provisioning a node:
>>>>> GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to
>>>>> 'openstack_citest'@'localhost';
>>>>>
>>>>> and then create databases giving them names starting with the prefix value.
>>>>>
>>>>> Is it an acceptable solution? Or am I missing something?
>>>>>
>>>>> Thanks,
>>>>> Roman
>>>>>
>>>>> [1] https://review.openstack.org/#/c/69519/
>>>>> [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>> The problem with the prefix approach is it doesn't scale. At some
>>>> point we will decide we need a new prefix then a third and so on
>>>> (which is basically what happened at the schema level). That said we
>>>> recently switched to using single use slaves for all unittesting so I
>>>> think we can safely GRANT ALL on *.* to openstack_citest at localhost and
>>>> call that good enough. This should work fine for upstream testing but
>>>> may not be super friendly to others using the puppet manifests on
>>>> permanent slaves. We can wrap the GRANT in a condition in puppet that
>>>> is set only on single use slaves if this is a problem.
>>>>
>>>> Clark
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> --
> Sincerely yours,
> Sergey Lukjanov
> Savanna Technical Lead
> Mirantis Inc.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list