sipwise
/
ngcpcfg
mirror of https://github.com/sipwise/ngcpcfg.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TT#68032 Migrate from 'mysql -p${SIPWISE_DB_PASSWORD}' to Perl DBI defaults-extra-file=""

Browse Source 
There is no need to read the text file and search for password inside,
we have properly formatted credentials file /etc/mysql/sipwise_extra.cnf
which is fully supported by MySQL/MariaDB client library and Perl DBI.

Also we have plans to remove /etc/mysql/sipwise.cnf to prevent it usage
(to prevent password leakage through Linux process list).

Change-Id: I62006ae01d9097642a3dae063781a621f5050842
changes/49/34049/3
Alexander Lutay 7 years ago
parent ae46548355
commit e0458305c2
2 changed files with 10 additions and 40 deletions
Show Stats Download Patch File Download Diff File

23
helper/sync-db
Unescape View File

@ -21,14 +21,8 @@ foreach my $file (@ARGV) {
# rw connection to central node
my $dbhost = $config->{database}->{central}->{dbhost};
my $dbport = $config->{database}->{central}->{dbport};
open my $SWFH, '<', '/etc/mysql/sipwise.cnf';
my $dbpass = join ' ', <$SWFH>;
close $SWFH;
$dbpass =~ s/^\s*SIPWISE_DB_PASSWORD=\'([^\']+)\'.*$/$1/;
chomp $dbpass;
my $dbuser = 'sipwise';
my $dbname = $config->{ossbss}->{provisioning}->{database}->{name};
my $dbcredentials = "/etc/mysql/sipwise_extra.cnf";
unless(defined $dbhost) {
print "Error: Could not determine provisioning db hostname\n";
@ -42,14 +36,6 @@ unless(defined $dbname) {
print "Error: Could not determine provisioning db name\n";
exit 1;
}
unless(defined $dbuser) {
print "Error: Could not determine provisioning db user\n";
exit 1;
}
unless(defined $dbpass) {
print "Error: Could not determine provisioning db password\n";
exit 1;
}
$dbh = db_connect();
@ -76,10 +62,11 @@ exit 0;
sub db_connect
{
my $dbh = DBI->connect("DBI:mysql:database=${dbname};host=${dbhost};port=${dbport}",
$dbuser, $dbpass, { PrintError => 1 });
my $dbh = DBI->connect("DBI:mysql:database=${dbname};host=${dbhost};port=${dbport};"
. "mysql_read_default_file=${dbcredentials}",
"", "", { PrintError => 1 });
unless(defined $dbh) {
print "Error: Could not connect to database '$dbname' at '$dbhost:$dbport' as '${dbuser}': $DBI::errstr\n";
print "Error: Could not connect to database '$dbname' at '$dbhost:$dbport' using '${dbcredentials}': $DBI::errstr\n";
exit 1;
}
return $dbh;

27
sbin/ngcp-sync-grants
Unescape View File

@ -12,8 +12,6 @@ use YAML::XS;
use Readonly;
Readonly my $GRANTS_SCHEMA => '/etc/mysql/grants.yml';
Readonly my $DEFAULT_MYSQL_USER => "sipwise";
Readonly my $MYSQL_CREDENTIALS => "/etc/mysql/sipwise.cnf";
Readonly my $DB_CFG => "/etc/default/ngcp-db";
Readonly my $DEFAULT_DBHOST => "127.0.0.1";
Readonly my $DEFAULT_DBPORT => "3306";
@ -63,13 +61,14 @@ sub pwgen {
sub connect_db {
my ($dbhost, $dbport) = @_;
my ($mysql_user, $mysql_pass) = get_mysql_credentials();
my $dbcredentials = "/etc/mysql/sipwise_extra.cnf";
$dbh = DBI->connect("DBI:mysql:database=mysql;host=$dbhost;port=$dbport",
$mysql_user, $mysql_pass,
$dbh = DBI->connect("DBI:mysql:database=mysql;host=$dbhost;port=$dbport;"
. "mysql_read_default_file=${dbcredentials}",
"", "",
{ PrintError => 0 })
or die "Can't connect to MySQL database 'mysql': ". $DBI::errstr;
log_debug("connected to $dbhost:$dbport as $mysql_user");
log_debug("connected to $dbhost:$dbport using '${dbcredentials}'");
$dbh->do("SET sql_log_bin=0")
or die "Cannot set sql_log_bin=0: ".$DBI::errstr;
@ -95,22 +94,6 @@ sub log_info { logger(shift, 0); }
sub log_debug { logger(shift, 1); }
sub log_warn { logger(shift, 2); }
sub get_mysql_credentials {
my $mysql_user = $DEFAULT_MYSQL_USER;
my $mysql_pass;
my $mysql_creds = Config::Tiny->read($MYSQL_CREDENTIALS)
or die "Cannot open $MYSQL_CREDENTIALS: $ERRNO";
if ($mysql_pass = $mysql_creds->{_}{SIPWISE_DB_PASSWORD}) {
$mysql_pass =~ s/^['"]|['"]$//g;
} else {
die "Cannot parse mysql credentials file $MYSQL_CREDENTIALS";
}
return ($mysql_user, $mysql_pass);
}
sub get_hostname {
open(my $fh, "<", "/etc/hostname")

Write Preview
Loading…
Cancel
Save