[openstack-dev] [Infra] openstack_citest MySQL user privileges to create databases on CI nodes
Roman Podoliaka
rpodolyaka at mirantis.com
Fri Feb 28 08:28:49 UTC 2014
Hi Clark, all,
https://review.openstack.org/#/c/76634/ has been merged, but I still
get 'command denied' errors [1].
Is there something else, that must be done before we can use new
privileges of openstack_citest user?
Thanks,
Roman
[1] http://logs.openstack.org/63/74963/4/check/gate-oslo-incubator-python27/e115a5f/console.html
On Wed, Feb 26, 2014 at 11:54 AM, Roman Podoliaka
<rpodolyaka at mirantis.com> wrote:
> Hi Clark,
>>>>> I think we can safely GRANT ALL on *.* to openstack_citest at localhost and call that good enough
> Works for me.
>> Thanks,
> Roman
>> On Tue, Feb 25, 2014 at 8:29 PM, Clark Boylan <clark.boylan at gmail.com> wrote:
>> On Tue, Feb 25, 2014 at 2:33 AM, Roman Podoliaka
>> <rpodolyaka at mirantis.com> wrote:
>>> Hi all,
>>>>>> [1] made it possible for openstack_citest MySQL user to create new
>>> databases in tests on demand (which is very useful for parallel
>>> running of tests on MySQL and PostgreSQL, thank you, guys!).
>>>>>> Unfortunately, openstack_citest user can only create tables in the
>>> created databases, but not to perform SELECT/UPDATE/INSERT queries.
>>> Please see the bug [2] filed by Joshua Harlow.
>>>>>> In PostgreSQL the user who creates a database, becomes the owner of
>>> the database (and can do everything within this database), and in
>>> MySQL we have to GRANT those privileges explicitly. But
>>> openstack_citest doesn't have the permission to do GRANT (even on its
>>> own databases).
>>>>>> I think, we could overcome this issue by doing something like this
>>> while provisioning a node:
>>> GRANT ALL on `some_predefined_prefix_goes_here\_%`.* to
>>> 'openstack_citest'@'localhost';
>>>>>> and then create databases giving them names starting with the prefix value.
>>>>>> Is it an acceptable solution? Or am I missing something?
>>>>>> Thanks,
>>> Roman
>>>>>> [1] https://review.openstack.org/#/c/69519/
>>> [2] https://bugs.launchpad.net/openstack-ci/+bug/1284320
>>>>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> The problem with the prefix approach is it doesn't scale. At some
>> point we will decide we need a new prefix then a third and so on
>> (which is basically what happened at the schema level). That said we
>> recently switched to using single use slaves for all unittesting so I
>> think we can safely GRANT ALL on *.* to openstack_citest at localhost and
>> call that good enough. This should work fine for upstream testing but
>> may not be super friendly to others using the puppet manifests on
>> permanent slaves. We can wrap the GRANT in a condition in puppet that
>> is set only on single use slaves if this is a problem.
>>>> Clark
>>>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list