Use root-enable in redis to enable authentication

Registered by Fan Zhang on 2017-09-08

Root-enable and root-disable are two common commands in Trove to enable/disable root for database like mysql. But when we come to redis, it seems that we can only enable/disable authentication by using configuration group because there is no root-enable/root-disable implementation in redis.

I would like to implement a bp that using root-enable/root-disable to enable/disable authentication in redis. This patch should support:

1. enable/disable authentication for single redis instance;
2. enable/disable authentication for replica instances. For example, when we create a replica instance of a exist single redis instance, and then we do root-enable in master node, the slave node should be also enabled authentication. When we have single redis instance which has already authentication enabled, then we create a replica instance of it, the replica instance has enabled authentication which I have tested in trove version newton. So in this patch, we won't discuss about this scenario.

But here we have another problem, what if we do root-enable to enable authentication and then the customer removes it by using configuration group? I think we should discuss about it. My advice is that we can remove requirepass item in validation-rules.json of redis, that means we do not support requirepass in redis configuration group, or we should pay attention to remove RootHistory by disabling authentication in redis via configuration group.

Blueprint information

Status:
Started
Approver:
Manoj Kumar
Priority:
Medium
Drafter:
Fan Zhang
Direction:
Needs approval
Assignee:
Fan Zhang
Definition:
Approved
Series goal:
None
Implementation:
Needs Code Review
Milestone target:
None
Started by
Fan Zhang on 2017-09-09

Related branches

Sprints

Whiteboard

Implement root-enable/root-disable by adding requirepass and masterauth into redis.conf and doing config set requirepass and masterauth at the same time, to make sure we can enble authentication in redis without restart redis service. There are some tricks like we have to rebuild admin client after doing config set requirepass etc.(update: this has been fixed in bug #1708376)

Specification: https://specs.openstack.org/openstack/trove-specs/specs/queens/impelment-root-enable-for-redis.html

Gerrit topic: https://review.openstack.org/#q,topic:bp/root-enable-in-redis,n,z

Addressed by: https://review.openstack.org/522696
    Implementation of root-enable, root-disable in redis.

(?)

Work Items

Work items:
Development of this implementation: DONE
Test locally for single redis instance: DONE
Test locally about doing root-enable for master instance in replication after the slave being created: DONE
Test locally about doing root-enable for master instance in replication before creating slave instance. When we have done root-enable in master, then create slave instance, it seems that after the slave's status is ACTIVE, it does not write requirepass and masterauth into /etc/redis.conf like I said above in description. Still need further investigation. I am going to finish the unit test first: TODO
Complete unit tests: DONE
Review: INPROGRESS

This blueprint contains Public information 
Everyone can see this information.