add the ability to create a restricted root account

Registered by Michael Basnight on 2013-01-28

There has been a request to enable a root user through the API that has limited privileges.

Blueprint information

Status:
Complete
Approver:
Vipul Sabhaya
Priority:
Medium
Drafter:
Dan Nguyen
Direction:
Approved
Assignee:
Dan Nguyen
Definition:
Approved
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
None
Started by
Dan Nguyen on 2013-04-17
Completed by
Dan Nguyen on 2013-04-17

Related branches

Sprints

Whiteboard

Proposed changes.

Notes:
----------
The reddwarf-guestagent.conf.sample file will contain a property that specifies a list of privileges:

root_grant=SELECT, CREATE, UPDATE, DELETE, ALTER, CREATE VIEW ....

If this property is not present the code should default to the original permissions which GRANTS ALL PRIVILGES ...

Concerns:
--------------
We know that the custom GRANT statement will not accommodate everyone.
This is part of the reason for abstracting it out to a config file.

See MySQL Privelages: http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html

Design
----------
We will not put the GRANT sql statement directly in the property file.
The property file will just contain a list of privileges that we will build the GRANT statement from.
(i.e. root_grant = CREATE, DELETE, UPDATE ....)

Privileges for restricted root account
-------------------------------------------------
Grants for root@%:

GRANT SELECT,
      INSERT,
      UPDATE,
      DELETE,
      CREATE,
      DROP,
      PROCESS,
      REFERENCES,
      INDEX,
      ALTER,
      SHOW DATABASES,
      CREATE TEMPORARY TABLES,
      LOCK TABLES,
      EXECUTE,
      CREATE VIEW,
      SHOW VIEW,
      CREATE ROUTINE,
      ALTER ROUTINE,
      CREATE USER,
      EVENT,
      TRIGGER

ON *.* TO 'root'@'%'

IDENTIFIED BY PASSWORD '*8E32602BD1C871936F7DA6963855FBD7000854BA'

Gerrit topic: https://review.openstack.org/#q,topic:bp/create-restricted-root-account,n,z

Addressed by: https://review.openstack.org/22012
    Implement alternate root privileges

Addressed by: https://review.openstack.org/22358
    Implement alternate root privileges

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.