This could possibly be a support request depending on if you're willing to add new features to 6.x-2.x.
There are a lot of organizations who have security policies that involve changing database passwords. I'm not entirely sure how to go about doing this, but it would be helpful to have an action that does the following:
1) Create a new database user/pass
2) Rewrite settings.php for the site
3) Remove the old database user for the site
Possibly in an experimental, disabled-by-default extension?
If this isn't something that could be included in Aegir, any information that you could provide to help me do this would be extremely helpful.
| Comment | File | Size | Author |
|---|---|---|---|
| #21 | provision_tasks_extra-code-2072267-21.patch | 3 KB | helmo |
Comments
Comment #1
helmo commentedWould be nice to have.
It relates a bit to: #1132512: [meta] Manage databases as separate entities
It could also start as something in http://drupal.org/project/hosting_tasks_extra
Comment #2
cweagansAny ideas about approach? I'm not sure how to make it happen.
Comment #3
cweagansI mean, one way to do it is to have an action that does this:
For running the action on example.com:
* Migrate example.com to example.com.tmp
* Clone example.com.tmp to example.com
* Delete example.com.tmp
I'm not sure how well this would work in practice though, and it seems to be a pretty roundabout way of resetting a database password.
Comment #4
ergonlogicProvision_Service_db_mysql::grant and Provision_Service_db_mysql::revoke methods already exist. Since site db credentials are stored in the vhost and the site drushrc.php, those are where we'd need a re-write, not settings.php.
Comment #5
cweagansI see all of these bits that will be useful, but I'm not quite understanding how they fit together:
- provision_password() will help with generating new password
- Provision_Service_db_mysql::revoke will help with revoking the database credentials
- Provision_Service_db_mysql::grant will help with granting new ones
From a site action, how do I update the site drushrc.php/virtualhost with those new credentials?
Comment #6
ergonlogicYou probably want something like:
$config = new Provision_Config_Drushrc_Site(d()->name);
$config->db_passwd = $new_password;
$config->write();
With that, I think you can just verify the site to have the vhost re-created with the new credentials.
Comment #7
cweagansOkay, I think that's enough to get me started. Thanks!
Should I write this as a hosting/provision patch/separate submodule? Or should this go into a contrib project?
Comment #8
ergonlogic@cweagans, I think helmo's suggestion in #1 is good. tasks_extra is becoming our incubator for potential additions to aegir core .
Comment #9
anarcat commentedalso, keep in mind this actually happens at every migrate.
i don't think we should have this that late in the 2.x release cycle, but it's welcome in contrib or 3.x.
Comment #10
cweagansYes, but you can't migrate the site to the same platform to change the database password :)
Also, I'm having a really hard time getting this to work. ergonlogic or anarcat, could we talk in IRC sometime? I have code written, and it'll definitely be open sourced - I'd love to have your input on where I'm going wrong if you happen to have some time.
Comment #11
ergonlogic@cweagans, I know you'd posted a gist or something with some code snippets at one point. Posting a patch to this issue would probably make things simpler though.
We'll be on IRC this week too.
Comment #12
cweagansMy complete provision_change_site_password.drush.inc is here: https://gist.github.com/cweagans/2926c8f7953d35291ec1
(I'm building it as a separate module, but I'll move it into a patch in provision_tasks_extra at some point, and possibly into Aegir 3.x at some point)
Comment #13
anarcat commentedokay, so what's not working in that command?
Comment #14
cweagansAs far as I can tell, it's updating the MySQL password, but it's not regenerating the Apache config appropriately, so after this command is run, the site has one password, and the database has another.
Comment #15
helmo commentedI think I got it working....
https://gist.github.com/helmo/a564e718715787a0287f/revisions
A comment in generate_site_credentials() already mentions that this is not the best way to handle variables....
Comment #16
cweagansThanks, helmo!! That works great - I'll go ahead and package this up.
Comment #17
anarcat commentedlet's mark this as postponed until we have a link to a contrib module here :)
Comment #18
helmo commentedMoving to the provision_tasks_extra queue as per @cweagans in #12.
I doubt there would be much need for an addition to hosting_tasks_extra, or would anyone like to do this from the frontend?
Comment #19
cweagansI'll add a configuration page to hosting_tasks_extra to rotate passwords every $interval, and a hook_cron to kick it off.
Comment #20
ergonlogicImplementing a queue would probably be the best way forward to schedule regular triggering of this.
Comment #21
helmo commentedThis saved me again today ... I used this to fix some db privilege issues after a DNS name change, which messed up some grants.
Together with #2175595-1: Generate drush groups I was able to quickly reset all passwords on a server.
Here's a patch based on the gist .. only with minor cleanup.
* Is the filename OK?
* We could make the maintenance mode optional .. I temporarily disabled it to avoid errors during my recovery.
Comment #22
cweagansLooks like this has been committed. Can we close it? I'm using this in production for a client for automatic password rotations every 90 days, and it seems to be working well.
Comment #23
helmo commentedI see that I accidentally committed this in fd9a94eea65015780d98c34b00fab4b4cbabe9a8 "Fix hook_drush_load() check for http_basic_auth"
Code still seems ok, so lets leave it at that. We can always open a follow-up issue.