Last active
November 18, 2019 18:12
-
-
Save henders/4e1ac31a3fb974575d1408a850449547 to your computer and use it in GitHub Desktop.
Adding ACLs to Vitess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -------------------------------- For the User definitions ---------------------------- | |
# Create a K8s secret with the users: | |
$ echo '{ | |
"user-service": [ | |
{ | |
"UserData": "user-service", | |
"Password": "mybadpassword" | |
} | |
], | |
"other-service": [ | |
{ | |
"UserData": "other-service", | |
"Password": "myotherbadpassword" | |
} | |
] | |
}' > users.json | |
$ kubectl create secret generic vitess-users --from-file=users.json | |
# Change the VTGate stateful sets to set the Users | |
initContainers: | |
- name: init-mysql-creds | |
image: "vitess/vtgate:latest" | |
imagePullPolicy: IfNotPresent | |
volumeMounts: | |
- name: creds | |
mountPath: "/mysqlcreds" | |
env: | |
- name: MYSQL_USER_PASSWORDS | |
valueFrom: | |
secretKeyRef: | |
name: vitess-users | |
key: users.json | |
command: ["bash"] | |
args: | |
- "-c" | |
- | | |
set -ex | |
echo $MYSQL_USER_PASSWORDS > /mysqlcreds/creds.json | |
# Modify the VTGate container command to add the auth flags, though this should be there by default if using | |
# helm-generated YAMLs | |
-mysql_auth_server_impl="static" | |
-mysql_auth_server_static_file="/mysqlcreds/creds.json" | |
# -------------------------------- For the ACLs ---------------------------- | |
# Create a k8s secret with the ACLs | |
$ echo '{ | |
"table_groups": [ | |
{ | |
"name": "users", | |
"table_names_or_prefixes": [""], | |
"readers": ["user-service"], | |
"writers": ["user-service"], | |
"admins": ["user-service"] | |
} | |
] | |
}' > user-acls.json | |
$ kubectl create secret generic vitess-user-acls --from-file=user-acls.json | |
# In each VTTablet Statefulset: | |
# modify the `init-vttablet` container and add a reference to the ACL secret: | |
env: | |
- name: MYSQL_USER_ACLS | |
valueFrom: | |
secretKeyRef: | |
name: vitess-user-acls | |
key: user-acls.json | |
# Above the `eval exec` cmd for vttablet (or else it won't execute), add a line: | |
echo $MYSQL_USER_ACLS > /vtdataroot/acls.json | |
# In the main `vttablet` container add the following cmdline params: | |
-table-acl-config /vtdataroot/acls.json | |
-queryserver-config-strict-table-acl | |
-enforce-tableacl-config | |
# Note you'll need a different ACLs K8s secret for each Keyspace you have, otherwise tables with the | |
# same name across keyspaces will allow other users to access it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment