Merge pull request #501 from HuKeping/work-branch

Use seperate databases for notary server and signer
This commit is contained in:
Diogo Mónica 2016-01-29 10:13:18 -08:00
commit e0b507bfc2
8 changed files with 96 additions and 30 deletions

23
docs/notary-mysql.md Normal file
View File

@ -0,0 +1,23 @@
<!--[metadata]>
+++
title = "Notary MySQL"
description = "Description of the Notary MySQL"
keywords = ["docker, notary, notary-mysql"]
[menu.main]
parent="mn_notary"
+++
<![end-metadata]-->
# Notary MySQL
The Notary MySQL is one of the backends for [Notary Server](notary-server.md) and
[Notary Signer](notary-signer.md).
### Recommendation
For security, especially in production deployments, one should create users
with restricted permissions and separate databases for the `server` and
`signer` since the `signer` only needs the `private_keys` table, and the
`server` only needs `timestamp_keys` and `tuf_files`.
We use such a setup in our compose file to provide people with more accurate
guidance in deploying their own instances.

View File

@ -18,6 +18,6 @@
},
"storage": {
"backend": "mysql",
"db_url": "root@tcp(notarymysql:3306)/notary?parseTime=True"
"db_url": "server@tcp(notarymysql:3306)/notaryserver?parseTime=True"
}
}

View File

@ -11,6 +11,6 @@
},
"storage": {
"backend": "mysql",
"db_url": "root@tcp(notarymysql:3306)/notary?parseTime=True"
"db_url": "signer@tcp(notarymysql:3306)/notarysigner?parseTime=True"
}
}

View File

@ -7,8 +7,9 @@ RUN apt-get update \
&& rm -rf /var/lib/apt/lists/*
ADD start /start
ADD initial.sql /initial.sql
ADD migrate.sql /migrate.sql
ADD initial-notaryserver.sql /initial-notaryserver.sql
ADD initial-notarysigner.sql /initial-notarysigner.sql
ADD migrate-notaryserver.sql /migrate-notaryserver.sql
RUN chmod 755 /start
EXPOSE 3306

View File

@ -18,21 +18,3 @@ CREATE TABLE `timestamp_keys` (
`public` blob NOT NULL,
PRIMARY KEY (`gun`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
DROP TABLE IF EXISTS `private_keys`;
CREATE TABLE `private_keys` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`created_at` timestamp NULL DEFAULT NULL,
`updated_at` timestamp NULL DEFAULT NULL,
`deleted_at` timestamp NULL DEFAULT NULL,
`key_id` varchar(255) NOT NULL,
`encryption_alg` varchar(255) NOT NULL,
`keywrap_alg` varchar(255) NOT NULL,
`algorithm` varchar(50) NOT NULL,
`passphrase_alias` varchar(50) NOT NULL,
`public` blob NOT NULL,
`private` blob NOT NULL,
PRIMARY KEY (`id`),
UNIQUE (`key_id`),
UNIQUE (`key_id`,`algorithm`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

View File

@ -0,0 +1,17 @@
DROP TABLE IF EXISTS `private_keys`;
CREATE TABLE `private_keys` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`created_at` timestamp NULL DEFAULT NULL,
`updated_at` timestamp NULL DEFAULT NULL,
`deleted_at` timestamp NULL DEFAULT NULL,
`key_id` varchar(255) NOT NULL,
`encryption_alg` varchar(255) NOT NULL,
`keywrap_alg` varchar(255) NOT NULL,
`algorithm` varchar(50) NOT NULL,
`passphrase_alias` varchar(50) NOT NULL,
`public` blob NOT NULL,
`private` blob NOT NULL,
PRIMARY KEY (`id`),
UNIQUE (`key_id`),
UNIQUE (`key_id`,`algorithm`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

View File

@ -1,4 +1,4 @@
-- This migrates initial.sql to tables that are needed for GORM
-- This migrates initial-notaryserver.sql to tables that are needed for GORM
ALTER TABLE `tuf_files`
ADD COLUMN `created_at` timestamp NULL DEFAULT NULL AFTER `id`,

View File

@ -1,12 +1,40 @@
#!/bin/bash
set -e
DB_NAME='notary'
# This database is used by both of Notary-Server and Notary-Signer
# the early days which we would not use it any longer.
DB_NAME_OLD='notary'
# Message which will be displayed when the database 'notary' exsits.
DB_WARNING="
=============== WARNING =================
# The schema has changed. #
# Make sure you migrate the tables in #
# 'notary' #
# to #
# 'notaryserver' and 'notarysigner' #
=========================================
"
# Although the Notary-Server and Notary-Signer could use the same
# database, it's better to separate that for security.
DB_NAME_SERVER='notaryserver'
DB_NAME_SIGNER='notarysigner'
DB_NAME=($DB_NAME_SERVER,$DB_NAME_SIGNER)
DB_TABLE_FILES='tuf_files'
DB_TABLE_KEYS='timestamp_keys'
DB_USER='root'
DB_PASS=''
# Default username and password for Notary-Server
DB_USER_SERVER='server'
DB_PASS_SERVER=''
# Default username and password for Notary-Signer
DB_USER_SIGNER='signer'
DB_PASS_SIGNER=''
DB_REMOTE_ROOT_NAME=''
DB_REMOTE_ROOT_PASS=''
DB_REMOTE_ROOT_HOST=''
@ -93,6 +121,14 @@ if [ -n "${DB_USER}" -o -n "${DB_NAME}" ]; then
sleep 1
done
# Check whether the old database exists and warn users to
# manually migrate those tables if so.
if [ -n "${DB_NAME_OLD}" ]; then
if mysql --defaults-file=/etc/mysql/debian.cnf -e "USE $DB_NAME_OLD;" 2>/dev/null; then
echo "$DB_WARNING"
fi
fi
if [ -n "${DB_NAME}" ]; then
for db in $(awk -F',' '{for (i = 1 ; i <= NF ; i++) print $i}' <<< "${DB_NAME}"); do
if mysql --defaults-file=/etc/mysql/debian.cnf -e "USE $db;" 2>/dev/null; then
@ -101,14 +137,21 @@ if [ -n "${DB_USER}" -o -n "${DB_NAME}" ]; then
echo "Creating database \"$db\"..."
mysql --defaults-file=/etc/mysql/debian.cnf \
-e "CREATE DATABASE IF NOT EXISTS \`$db\` DEFAULT CHARACTER SET \`utf8\` COLLATE \`utf8_unicode_ci\`;"
if [ -n "${DB_USER}" ]; then
echo "Granting access to database \"$db\" for user \"${DB_USER}\"..."
if [ -n "${DB_USER_SERVER}" -a $db = $DB_NAME_SERVER ]; then
echo "Granting access to database \"$db\" for user \"${DB_USER_SERVER}\"..."
mysql --defaults-file=/etc/mysql/debian.cnf \
-e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER}' IDENTIFIED BY '${DB_PASS}';"
fi
-e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER_SERVER}' IDENTIFIED BY '${DB_PASS_SERVER}';"
# Create our Database:
mysql -uroot $db < ./initial.sql
mysql -uroot $db < ./migrate.sql
mysql -uroot $db < ./initial-notaryserver.sql
mysql -uroot $db < ./migrate-notaryserver.sql
fi
if [ -n "${DB_USER_SIGNER}" -a $db = $DB_NAME_SIGNER ]; then
echo "Granting access to database \"$db\" for user \"${DB_USER_SIGNER}\"..."
mysql --defaults-file=/etc/mysql/debian.cnf \
-e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER_SIGNER}' IDENTIFIED BY '${DB_PASS_SIGNER}';"
# Create our Database:
mysql -uroot $db < ./initial-notarysigner.sql
fi
fi
done
fi