OpenStack DBaaS (Trove)

Use root-enable in redis to enable authentication

Registered by Fan Zhang on 2017-09-08

Root-enable and root-disable are two common commands in Trove to enable/disable root for database like mysql. But when we come to redis, it seems that we can only enable/disable authentication by using configuration group because there is no root-enable/root-disable implementation in redis.

I would like to implement a bp that using root-enable/root-disable to enable/disable authentication in redis. This patch should support:

1. enable/disable authentication for single redis instance;
2. enable/disable authentication for replica instances. For example, when we create a replica instance of a exist single redis instance, and then we do root-enable in master node, the slave node should be also enabled authentication. When we have single redis instance which has already authentication enabled, then we create a replica instance of it, the replica instance has enabled authentication which I have tested in trove version newton. So in this patch, we won't discuss about this scenario.

But here we have another problem, what if we do root-enable to enable authentication and then the customer removes it by using configuration group? I think we should discuss about it. My advice is that we can remove requirepass item in validation-rules.json of redis, that means we do not support requirepass in redis configuration group, or we should pay attention to remove RootHistory by disabling authentication in redis via configuration group.

Read the full specification

Blueprint information

Status:: Complete

Approver:: Manoj Kumar

Priority:: Medium

Drafter:: Fan Zhang

Direction:: Needs approval

Assignee:: Fan Zhang

Definition:: Approved

Series goal:: Accepted for queens

Implementation:: Implemented

Milestone target:: None

Started by: Fan Zhang on 2017-09-09

Completed by: Fan Zhang on 2017-12-20

Related branches

Related bugs

Bug #1708376: redis requirepass problem

Fix Released

Sprints

Whiteboard

Implement root-enable/root-disable by adding requirepass and masterauth into redis.conf and doing config set requirepass and masterauth at the same time, to make sure we can enble authentication in redis without restart redis service. There are some tricks like we have to rebuild admin client after doing config set requirepass etc.(update: this has been fixed in bug #1708376)

Specification: https://specs.openstack.org/openstack/trove-specs/specs/queens/impelment-root-enable-for-redis.html

Gerrit topic: https://review.openstack.org/#q,topic:bp/root-enable-in-redis,n,z

Addressed by: https://review.openstack.org/522696
Implementation of root-enable, root-disable in redis.

(?)

Work Items

Work items:
Development of this implementation: DONE
Test locally for single redis instance: DONE
Test locally about doing root-enable for master instance in replication after the slave being created: DONE
Test locally about doing root-enable for master instance in replication before creating slave instance. When we have done root-enable in master, then create slave instance, it seems that after the slave's status is ACTIVE, it does not write requirepass and masterauth into /etc/redis.conf like I said above in description. Still need further investigation. I am going to finish the unit test first: DONE
Complete unit tests: DONE
Review: DONE

This blueprint contains Public information

Everyone can see this information.

Subscribers

Fan Zhang