Merge pull request #934 from edx/jarv/add-migrate-user

creates the migration user, defaults the maintenance user passwords to

playbooks/edx-east/create_dbs.yml

@@ -83,19 +83,49 @@
         login_host: "{{ item.db_host }}"
         login_user: "{{ item.db_user }}"
         login_password: "{{ item.db_pass }}"
+        append_privs: yes
         host: '%'
       when: item.db_user != 'None'
       with_items:
         - db_host: "{{ EDXAPP_MYSQL_HOST|default('None') }}"
+          db_name: "{{ EDXAPP_MYSQL_DB_NAME|default('None') }}"
           db_user: "{{ edxapp_db_root_user }}"
           db_pass: "{{ db_root_pass }}"
         - db_host: "{{ XQUEUE_MYSQL_HOST|default('None') }}"
+          db_name: "{{ XQUEUE_MYSQL_DB_NAME|default('None') }}"
           db_user: "{{ xqueue_db_root_user }}"
           db_pass: "{{ db_root_pass }}"
         - db_host: "{{ ORA_MYSQL_HOST|default('None') }}"
+          db_name: "{{ ORA_MYSQL_DB_NAME|default('None') }}"
           db_user: "{{ ora_db_root_user }}"
           db_pass: "{{ db_root_pass }}"
 
+    - name: assign mysql user permissions for migrate user
+      mysql_user:
+        name: "{{ COMMON_MYSQL_MIGRATE_USER }}"
+        priv: "{{ item.db_name }}.*:SELECT,INSERT,UPDATE,DELETE,ALTER,CREATE,DROP,INDEX"
+        password: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
+        login_host: "{{ item.db_host }}"
+        login_user: "{{ item.db_user }}"
+        login_password: "{{ item.db_pass }}"
+        append_privs: yes
+        host: '%'
+      when: item.db_user != 'None'
+      with_items:
+        - db_host: "{{ EDXAPP_MYSQL_HOST|default('None') }}"
+          db_name: "{{ EDXAPP_MYSQL_DB_NAME|default('None') }}"
+          db_user: "{{ edxapp_db_root_user }}"
+          db_pass: "{{ db_root_pass }}"
+        - db_host: "{{ XQUEUE_MYSQL_HOST|default('None') }}"
+          db_name: "{{ XQUEUE_MYSQL_DB_NAME|default('None') }}"
+          db_user: "{{ xqueue_db_root_user }}"
+          db_pass: "{{ db_root_pass }}"
+        - db_host: "{{ ORA_MYSQL_HOST|default('None') }}"
+          db_name: "{{ ORA_MYSQL_DB_NAME|default('None') }}"
+          db_user: "{{ ora_db_root_user }}"
+          db_pass: "{{ db_root_pass }}"
+
+
     - name: assign mysql user permissions for admin user
       mysql_user:
         name: "{{ COMMON_MYSQL_ADMIN_USER }}"
@@ -104,6 +134,7 @@
         login_host: "{{ item.db_host }}"
         login_user: "{{ item.db_user }}"
         login_password: "{{ item.db_pass }}"
+        append_privs: yes
         host: '%'
       when: item.db_user != 'None'
       with_items:

playbooks/roles/bastion/tasks/main.yml

@@ -28,6 +28,9 @@
     extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   with_items: bastion_pip_pkgs
 
+# These templates rely on there being a global
+# read_only mysql user, you must override the default
+# in order for these templates to be written out
 - template: >
     src=mysql.sh.j2
     dest=/home/{{ item[0] }}/{{ item[1].script_name }}
@@ -44,7 +47,11 @@
       - db_host: "{{ ORA_MYSQL_HOST }}"
         db_name: "{{ ORA_MYSQL_DB_NAME }}"
         script_name: ora-rds.sh
+  when: COMMON_MYSQL_READ_ONLY_PASS
 
+# These templates rely on there being a global
+# read_only mongo user, you must override the default
+# in order for these templates to be written out
 - template: >
     src=mongo.sh.j2
     dest=/home/{{ item[0] }}/{{ item[1].script_name }}
@@ -60,3 +67,4 @@
         db_name: "{{ FORUM_MONGO_DATABASE }}"
         db_port: "{{ FORUM_MONGO_PORT }}"
         script_name: forum-mongo.sh
+  when: COMMON_MONGO_READ_ONLY_PASS

playbooks/roles/common/defaults/main.yml

@@ -31,17 +31,20 @@ COMMON_CUSTOM_DHCLIENT_CONFIG: false
 
 COMMON_MOTD_TEMPLATE: "motd.tail.j2"
 
-# These are two special accounts across all databases
+# These are three maintenance accounts across all databases
 # the read only user is is granted select privs on all dbs
 # the admin user is granted create user privs on all dbs
+# the migrate user is granted table alter privs on all dbs
 
 COMMON_MYSQL_READ_ONLY_USER: 'read_only'
-COMMON_MYSQL_READ_ONLY_PASS: 'password'
+COMMON_MYSQL_READ_ONLY_PASS: !!null
 COMMON_MYSQL_ADMIN_USER: 'admin'
-COMMON_MYSQL_ADMIN_PASS: 'password'
+COMMON_MYSQL_ADMIN_PASS: !!null
+COMMON_MYSQL_MIGRATE_USER: 'migrate'
+COMMON_MYSQL_MIGRATE_PASS: !!null
 
 COMMON_MONGO_READ_ONLY_USER: 'read_only'
-COMMON_MONGO_READ_ONLY_PASS: 'password'
+COMMON_MONGO_READ_ONLY_PASS: !!null
 
 common_debian_pkgs:
   - ntp

playbooks/roles/edxapp/tasks/service_variant_config.yml

@@ -77,7 +77,10 @@
 
 # Fake syncdb with migrate, only when fake_migrations is defined
 # This overrides the database name to be the test database which
-# the default application user has full write access to
+# the default application user has full write access to.
+#
+# This is run in cases where you want to test to see if migrations
+# work without actually runnning them (when creating AMIs for example).
 - name: syncdb and migrate
   shell: >
     chdir={{ edxapp_code_dir }}
@@ -90,12 +93,27 @@
   - "restart edxapp"
   - "restart edxapp_workers"
 
-# Regular syncdb with migrate
+# Syncdb with migrate when the migrate user is overridden in extra vars
+- name: syncdb and migrate
+  shell: >
+    chdir={{ edxapp_code_dir }}
+    {{ edxapp_venv_bin}}/python manage.py lms syncdb --migrate --noinput --settings=aws_migrate
+  when: fake_migrations is not defined and migrate_db is defined and migrate_db|lower == "yes" and COMMON_MYSQL_MIGRATE_PASS
+  environment:
+    DB_MIGRATION_USER: "{{ COMMON_MYSQL_MIGRATE_USER }}"
+    DB_MIGRATION_PASS: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
+  sudo_user: "{{ edxapp_user }}"
+  notify:
+  - "restart edxapp"
+  - "restart edxapp_workers"
+
+# Syncdb with migrate when the default migrate user is not set,
+# in this case use the EDXAPP_MYSQL_USER_MIGRATE user to run migrations
 - name: syncdb and migrate
   shell: >
     chdir={{ edxapp_code_dir }}
     {{ edxapp_venv_bin}}/python manage.py lms syncdb --migrate --noinput --settings=aws_migrate
-  when: fake_migrations is not defined and migrate_db is defined and migrate_db|lower == "yes"
+  when: fake_migrations is not defined and migrate_db is defined and migrate_db|lower == "yes" and not COMMON_MYSQL_MIGRATE_PASS
   environment:
     DB_MIGRATION_USER: "{{ EDXAPP_MYSQL_USER_MIGRATE }}"
     DB_MIGRATION_PASS: "{{ EDXAPP_MYSQL_PASSWORD_MIGRATE }}"
@@ -104,6 +122,7 @@
   - "restart edxapp"
   - "restart edxapp_workers"
 
+
 # Fake migrate, only when fake_migrations is defined
 # This overrides the database name to be the test database which
 # the default application user has full write access to

playbooks/roles/xqueue/tasks/deploy.yml

@@ -48,14 +48,28 @@
   notify:
     - restart xqueue
 
+# If there is a common user for migrations run migrations using his username
+# and credentials. If not we use the xqueue mysql user
+- name: syncdb and migrate
+  shell: >
+    SERVICE_VARIANT=xqueue {{ xqueue_venv_bin }}/django-admin.py syncdb --migrate --noinput --settings=xqueue.aws_migrate --pythonpath={{ xqueue_code_dir }}
+  sudo_user: "{{ xqueue_user }}"
+  environment:
+    DB_MIGRATION_USER: "{{ COMMON_MYSQL_MIGRATE_USER }}"
+    DB_MIGRATION_PASS: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
+  when: migrate_db is defined and migrate_db|lower == "yes" and COMMON_MYSQL_MIGRATE_PASS
+  notify:
+    - restart xqueue
+
 - name: syncdb and migrate
   shell: >
     SERVICE_VARIANT=xqueue {{ xqueue_venv_bin }}/django-admin.py syncdb --migrate --noinput --settings=xqueue.aws_settings --pythonpath={{ xqueue_code_dir }}
-  when: migrate_db is defined and migrate_db|lower == "yes"
   sudo_user: "{{ xqueue_user }}"
+  when: migrate_db is defined and migrate_db|lower == "yes" and not COMMON_MYSQL_MIGRATE_PASS
   notify:
     - restart xqueue
 
+
 - name: create users
   shell: >
     SERVICE_VARIANT=xqueue {{ xqueue_venv_bin }}/django-admin.py update_users --settings=xqueue.aws_settings --pythonpath={{ xqueue_code_dir }}