docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[PATCH 1/4] Use seperate databases for notary server and signer 

For security, server should not be able to access the `private_key` table
and we can go further more, say, use seperate databases for the server
and signer.

This patch creates two users corresponding to the different databases.

Signed-off-by: Hu Keping <hukeping@huawei.com>
This commit is contained in:
HuKeping 2016-01-26 14:25:16 +08:00
parent 54667d1254
commit e77db8a308
3 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fixtures/server-config.json
View File

@ -18,6 +18,6 @@
}, },
"storage": { "storage": {
"backend": "mysql", "backend": "mysql",
"db_url": "root@tcp(notarymysql:3306)/notary?parseTime=True" "db_url": "server@tcp(notarymysql:3306)/notaryserver?parseTime=True"
} }
} }

2
fixtures/signer-config.json
View File

@ -11,6 +11,6 @@
}, },
"storage": { "storage": {
"backend": "mysql", "backend": "mysql",
"db_url": "root@tcp(notarymysql:3306)/notary?parseTime=True" "db_url": "signer@tcp(notarymysql:3306)/notarysigner?parseTime=True"
} }
} }

26
notarymysql/start
View File

@ -1,12 +1,25 @@
#!/bin/bash #!/bin/bash
set -e set -e
DB_NAME='notary' # Although the Notary-Server and Notary-Signer could use the same
# database, it's better to seperate that for security.
DB_NAME_SERVER='notaryserver'
DB_NAME_SIGNER='notarysigner'
DB_NAME=($DB_NAME_SERVER,$DB_NAME_SIGNER)
DB_TABLE_FILES='tuf_files' DB_TABLE_FILES='tuf_files'
DB_TABLE_KEYS='timestamp_keys' DB_TABLE_KEYS='timestamp_keys'
DB_USER='root' DB_USER='root'
DB_PASS='' DB_PASS=''
# Default username and password for Notary-Server
DB_USER_SERVER='server'
DB_PASS_SERVER=''
# Default username and password for Notary-Signer
DB_USER_SIGNER='signer'
DB_PASS_SIGNER=''
DB_REMOTE_ROOT_NAME='' DB_REMOTE_ROOT_NAME=''
DB_REMOTE_ROOT_PASS='' DB_REMOTE_ROOT_PASS=''
DB_REMOTE_ROOT_HOST='' DB_REMOTE_ROOT_HOST=''
@ -101,10 +114,15 @@ if [ -n "${DB_USER}" -o -n "${DB_NAME}" ]; then
echo "Creating database \"$db\"..." echo "Creating database \"$db\"..."
mysql --defaults-file=/etc/mysql/debian.cnf \ mysql --defaults-file=/etc/mysql/debian.cnf \
-e "CREATE DATABASE IF NOT EXISTS \`$db\` DEFAULT CHARACTER SET \`utf8\` COLLATE \`utf8_unicode_ci\`;" -e "CREATE DATABASE IF NOT EXISTS \`$db\` DEFAULT CHARACTER SET \`utf8\` COLLATE \`utf8_unicode_ci\`;"
if [ -n "${DB_USER}" ]; then if [ -n "${DB_USER_SERVER}" -a $db = $DB_NAME_SERVER ]; then
echo "Granting access to database \"$db\" for user \"${DB_USER}\"..." echo "Granting access to database \"$db\" for user \"${DB_USER_SERVER}\"..."
mysql --defaults-file=/etc/mysql/debian.cnf \ mysql --defaults-file=/etc/mysql/debian.cnf \
-e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER}' IDENTIFIED BY '${DB_PASS}';" -e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER_SERVER}' IDENTIFIED BY '${DB_PASS_SERVER}';"
fi
if [ -n "${DB_USER_SIGNER}" -a $db = $DB_NAME_SIGNER ]; then
echo "Granting access to database \"$db\" for user \"${DB_USER_SIGNER}\"..."
mysql --defaults-file=/etc/mysql/debian.cnf \
-e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER_SIGNER}' IDENTIFIED BY '${DB_PASS_SIGNER}';"
fi fi
# Create our Database: # Create our Database:
mysql -uroot $db < ./initial.sql mysql -uroot $db < ./initial.sql