-
Notifications
You must be signed in to change notification settings - Fork 448
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add do
command to update the authentication plugin of MySQL users
#1097
base: release
Are you sure you want to change the base?
feat: add do
command to update the authentication plugin of MySQL users
#1097
Conversation
tutor/commands/upgrade/common.py
Outdated
@@ -43,6 +43,39 @@ def upgrade_from_nutmeg(context: click.Context, config: Config) -> None: | |||
) | |||
|
|||
|
|||
def get_mysql_change_authentication_plugin_query(config: Config) -> str: | |||
"""Helper function to generate queries depending on the loaded plugins""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the docstring can be upgraded to highlight what is done by default and what is done based on plugin's availability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
tutor/commands/upgrade/k8s.py
Outdated
# We need to first revert MySQL back to v8.1 to build the data dictionary on it | ||
# And also to update the authentication plugin as it is disabled on v8.4 | ||
message = f"""Automatic release upgrade is unsupported in Kubernetes. If you are upgrading from Olive or an earlier release to Redwood, you | ||
should upgrade the authentication plugin of your users. To upgrade, run something similar to: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of saying run something similar, we should add the exact commands the user should run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are the exact commands that the user should run. I've updated the wording in the message.
changelog.d/20240718_171945_danyal.faheem_mysql_authentication_plugin_change.md
Outdated
Show resolved
Hide resolved
tutor/commands/upgrade/common.py
Outdated
@@ -43,6 +43,46 @@ def upgrade_from_nutmeg(context: click.Context, config: Config) -> None: | |||
) | |||
|
|||
|
|||
def get_mysql_change_authentication_plugin_query(config: Config) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if we should have an override/additional param provided by user to only upgrade a particular plugin's database. Lets say they have upgraded the default already and do not have plugins enabled. Once plugins are enabled, they will be re-doing the migration for default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was also thinking that we could add a --users
option with comma separated name of users to the do command. This way, users can also choose to upgrade their choice of databases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a --users
option as well.
tutor/commands/upgrade/common.py
Outdated
) -> str: | ||
return f"ALTER USER '{username}'@'{host}' IDENTIFIED with caching_sha2_password BY '{password}';" | ||
|
||
host = "%" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is the host set to %?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The host for users created by Tutor is always set to '%'. The users created by MySQL itself uses the 'localhost' host.
adaa02d
to
820cebe
Compare
ef6022d
to
4d0042c
Compare
@@ -44,7 +44,11 @@ services: | |||
--character-set-server=utf8mb4 | |||
--collation-server=utf8mb4_unicode_ci | |||
--binlog-expire-logs-seconds=259200 | |||
# We only require this option for MySQL 8.4 and above | |||
# Breaks MySQL for previous versions as this option does not exist on versions earlier than 8.4 | |||
{% if DOCKER_IMAGE_MYSQL.split(':')[-1] == "latest" or (DOCKER_IMAGE_MYSQL.split(':')[-1].split('.') | map('int') | list >= '8.4.0'.split('.') | map('int') | list) -%} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: we can set DOCKER_IMAGE_MYSQL.split(':')[-1] to a variable and use that in comparison. It will make the code readable.
docs/local.rst
Outdated
|
||
tutor local do update_mysql_authentication_plugin --users=discovery,ecommerce | ||
|
||
Do note that if you are updating a specific user, there should be corresponding entries in the configuration for the mysql username and password for that user. For example, if you are trying to update the user ``myuser``, the following case sensitive entries need to be present in the configuration:: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this paragraph can be reworded to focus that for any particular user, the command expects the configuration settings in a certain format. Then, the myuser examples can be added afterwards/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated this paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While testing, I came across the following error
Error: Username or Password for User mfe not found in config. Please make sure that the following entries are present in the configuration:
MFE_MYSQL_USERNAME
MFE_MYSQL_PASSWORD
The current code raises the exception if config is not found. It is iterating on all the plugins. Not all plugins would have DB users. Instead of raising, we can log warning and continue.
do
command to update the authentication plugin of MySQL users
Hello @regisb, can u have a look at it for it's final iteration? |
tutor/fmt.py
Outdated
@@ -46,6 +46,14 @@ def alert(text: str) -> str: | |||
return click.style("⚠️ " + text, fg="yellow", bold=True) | |||
|
|||
|
|||
def warning(text: str) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of warning
when we already have alert
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alert prints to standard error and this seemed like a situation where we just wanted to display a warning rather than an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep an alert. We don't want to write to stdout because it might mangle output from other commands, such as tutor config printvalue/printroot
. And if we write to stderr than we are better off just using alert.
tutor/commands/jobs.py
Outdated
@@ -315,6 +317,49 @@ def sqlshell(args: list[str]) -> t.Iterable[tuple[str, str]]: | |||
yield ("lms", command) | |||
|
|||
|
|||
@click.command(context_settings={"ignore_unknown_options": True}) | |||
@click.option( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be an option, but an argument, because it's mandatory. The command signature should not be:
tutor local do update_mysql_authentication_plugin --users=regis,danyal
but:
tutor local do update_mysql_authentication_plugin regis danyal
Moreover, we should be able to update all users with users=all:
tutor local do update_mysql_authentication_plugin all
tutor/commands/jobs_utils.py
Outdated
fmt.echo_info( | ||
f"Authentication plugin of user {username} will be updated to caching_sha2_password" | ||
) | ||
return f"ALTER USER '{username}'@'{host}' IDENTIFIED with caching_sha2_password BY '{password}';" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function is extremely confusing, and there are many ways in which it can fail. In order to improve it, I'd like to understand if it's possible to automatically detect all mysql users that were created with the legacy authentication plugin?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only way to do that would be to get the output of a MySQL query inside tutor codebase. I am not aware of any method that we can use to get the output of a command run inside a container inside the tutor codebase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming we could get the output of a mysql query in tutor, what would be that query?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something similar to this:
select user from mysql.user where plugin='mysql_native_password' and host='%';
We need to limit the host to '%' as Tutor uses that host value by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey Regis, any thoughts on how we should proceed with this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure. basically, we need to perform all tasks inside a single templated bash script -- including the mysql --user...
part. This bash script can be templated, such that we don't have to pass config values to the script-generating function. I'm sorry I don't have time to think about this more...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So maybe something similar to a stored procedure? Something akin to what we did in #1079?
We could get the names of all the users and update them inside that procedure. Although, I'd have to look into how we would manage passwords then.
458c6de
to
98d6753
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: once merged and rebase to sumac, we can add a "warning" in upgrade that users should do the auth plugin updates to ensure future upgrades of MySQL do not break their systems.
tutor/commands/jobs_utils.py
Outdated
user_uppercase = user.upper() | ||
if not ( | ||
f"{user_uppercase}_MYSQL_USERNAME" in config | ||
and f"{user_uppercase}_MYSQL_PASSWORD" in config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks very fragile. We can't rely on the arbitrary naming of some configuration settings to auto-detect user names.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We found that this was a convention used across the plugins, but I can understand your position here. However, we still need the exact username and password to perform this operation. Therefore, I propose that we can provide an option to provide the exact username and password. Something similar to:
tutor local do update-mysql-authentication-plugin discovery ecommerce --usernames discovery-username,ecommerce-username --passwords discovery-password,ecommerce-password
This isn't very intuitive but since this would be a one time operation, maybe it is fine? Another con I see here is that users will have to have passwords out in the open for headless scripts unless they utilize environment variables.
I am open to any suggestions you might have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @regisb, pinging you again for your thoughts on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's go with a mandatory username
CLI argument. When the --password=...
option is not provided, it should be interactively set. (see how the createuser
command handles password definition) It's not a big deal if passwords are printed in stdout.
Then, we should instruct users to migrate their accounts with:
tutor local do update-mysql-authentication-plugin \
--password="$(tutor config printvalueOPENEDX_MYSQL_PASSWORD)"\
$(tutor config printvalue OPENEDX_MYSQL_USERNAME)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. However, I have one concern. This basically limits us to updating one user at a time. If a user has 5-6 plugins enabled, this would become quite hectic as the MySQL root user and Open edX mysql user would require 2 separate commands by themselves along, not to mention for each plugin as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, but I think it's OK, because this command will only have to be run once for every mysql user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the command to reflect the changes as you mentioned.
I've also moved some code to the newly created jobs_utils file as the jobs.py file was getting too bloated.
62633a0
to
9735201
Compare
docs/troubleshooting.rst
Outdated
|
||
This issue can occur when Tutor is upgraded from v15 (Olive) or earlier to v18 (Redwood) because the users created in Tutor v15 utilize the mysql_native_password authentication plugin by default. This plugin has been deprecated as of MySQL v8.4.0 which is the default MySQL server used in Tutor v18. | ||
|
||
The handy :ref:`update-mysql-authentication-plugin <update_mysql_authentication_plugin>` do command in tutor can be used to fix this issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the command that should be run for a vanilla installation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added the two commands necessary for a vanilla installation in the troubleshooting section as well
) | ||
return | ||
|
||
conventional_password_key = f"{user.upper()}_MYSQL_PASSWORD" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part about automatically loading password from config should be removed. In particular, with the current implementation, a warning will be printed even after user inputs a password.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding this,
The warnings will only be printed if the password entered by a user does not match the conventional format that tutor expects or if the value in config of the conventional key does not match the one entered by the user. This is just done to make sure no one accidentally updates the password of their mysql users and is left wondering why their platform doesn't work now.
There is also an option of using the command non-interactively.
Do you still think we should remove this? I understand its not intuitive at all but I added it just in case someone doesn't accidentally update their passwords.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think we should remove this, as it will cause more confusion than resolve anything. If the password is incorrect, the command will fail, right? (which is good)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the password is incorrect, the command will fail, right? (which is good)
Unfortunately, it wont fail. Instead, mysql will just update the password of the user to the incorrectly entered password and then the platform will be unable to connect because the password has been updated. This was my main motivation for adding these checks.
It only throws a warning if the username is incorrect, which makes sense cause then the user wouldn't exist anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I understand. Here's what I suggest:
- Get rid of the interactive option, remove the corresponding warning.
- Remove
prompt=True
in the password option definition. - In the command definition, build a dict of known username/passwords:
known_mysql_credentials = {}
for k, v in [("OPENEDX_MYSQL_USERNAME", "OPENEDX_MYSQL_PASSWORD"), ("NOTES_MYSQL_USERNAME", "NOTES_MYSQL_PASSWORD"), ...]:
if username := config.get(k):
known_mysql_credentials[username] = config[v]
if not password:
password = known_mysql_credentials.get(username)
if not password:
# prompt for password
In other words, the password is automatically detected if it matches a known username. Optionally, we can build known_mysql_credentials
from a new filter.
-
Change the documentation to tell users to run:
tutor local do update-mysql-authentication-plugin $(tutor config printvalue OPENEDX_MYSQL_USERNAME) tutor local do update-mysql-authentication-plugin $(tutor config printvalue NOTES_MYSQL_USERNAME) ...
Would that work?
Sorry about the back and forth on this feature. I'm aware that this PR has been open for 6+ months, and I'm eager to merge it.
tutor/commands/jobs.py
Outdated
|
||
mysql_command = ( | ||
"mysql --user={{ MYSQL_ROOT_USERNAME }} --password={{ MYSQL_ROOT_PASSWORD }} --host={{ MYSQL_HOST }} --port={{ MYSQL_PORT }} --database={{ OPENEDX_MYSQL_DATABASE }} --show-warnings " | ||
+ shlex.join(["-e", query]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the following will be more robust:
yield ("lms", shlex.join([
"mysql",
"--user={{ MYSQL_ROOT_USERNAME }}",
"--password={{ MYSQL_ROOT_PASSWORD }}",
"--host={{ MYSQL_HOST }}",
"--port={{ MYSQL_PORT }}",
"--database={{ OPENEDX_MYSQL_DATABASE }}",
"--show-warnings",
"-e",
query,
]))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This certainly looks better. I've updated the original one to this.
tutor/commands/jobs_utils.py
Outdated
- `get_mysql_change_charset_query`: Generates MySQL queries to upgrade the charset and collation of columns, tables, and databases. | ||
- `set_theme_template`: Generates the necessary commands to set a theme on a specific domain in openedx. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's not adopt the habit of documenting the functions at the top of the file. Can you please move the function short descriptions to the function docstrings? (in triple quotes)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did it as @DawoudSheraz requested me to add file docstrings. But, I guess we're not following that convention for now. So, I've removed the file docstring in favor of function docstrings.
closes #1095
This PR is a continuation of the issue mentioned in #1089.
--password
option or interactively. The command can also be run non-interactively with the--non-interactive
option as it might prompt for some confirmations otherwise.The commands necessary to update a native installation of tutor would be: