Hello,
I would like to add support for MySQL/MariaDB and I have some questions about it.
I suppose the nicest way to do it would be to use some haskell binding and to connect directly to the server from propellor. However, this would add a dependency to build it. Is it acceptable?
Another solution is to use a command line client and parse its output, but the SQL syntax is so strange that I fear this will be painful.
Another question is about password generation as I will need many passwords, I would like to generate them using a crypto hash of a secret combined with a public part in the propellor config. Do you have a suggestion to compute this hash? I think a dependency on a hash library is easier to accept.
Thanks.
We want to avoid adding heavy dependencies to propellor since that makes propellor more expensive to bootstrap and adds a point of failure.
But, it should be easy enough to add dependencies to your own ~/.propellor/config.cabal and write your properties using them. It would also be fine to have additional libraries of propellor properties extending propellor.
As for crypto hashes, it's certianly general enough to consider adding to propellor, but it's also striking that propellor has mostly avoided needing any hashes (except for some small uses of hashable and one place that shells out to sha1). If there's a general purpose property that uses a crypto hash, we could talk about adding it.
I am looking for a solution which could be integrated to propellor. Is it possible to include those additional libraries in propellor sources and have them included in the build on demand? I am not very familiar with the haskell build systems.
About generated passwords, a nice solution would be to do it in PrivData. The user would provide a salt as the private data and it would be combined to context to generate a password. I can try find how this could be done.
Well, cabal files can have flags that enable additional dependencies, but using them complicates testing the program since you have to try building it with different combinations of flags. And deploying propellor with the desired flags turned on would be an additional complication.
I feel that additional libraries that depend on propellor and the sql library and provide properties is a better approach. The user can easily add the dependency to their ~/.propellor/config.cabal, and the necessary dependencies will be automatically installed when propellor is deploying itself to a new host.
Hello,
I have made a first version to support MySQL databases and users for classic web applications.
You can pull the mysql branch at http://git.ni.fr.eu.org/nicolas/propellor.git
Can you have a look? I find userGrantedOnDatabase.setup' a little hard to read. Is it OK, or do you see a clearer way to write it?
Thanks!
Some review, sorry it took me so long to take a look at it..
It's not clear to me how to construct a
Database; what is theStringinside it? The path? A database name? What makes for a legal or illegal database name? (May be more obvious to people who use mysql than to me.)Looks like
Show Privilegeis being used to generate configuration. I dislike usingShowfor that, because it precludes it being used with Read, and is generally unclear that the strings in show need to be formatted exactly as they are.You could simplify allPrivileges using
Enum, with[minBound..maxBound].Reverting
databaseExistsand also revertinginstalledleads to the package being installed and then removed repeatedly. PerhapsdatabaseExistscould avoid doing anything when the server has already been removed.Some of the SQL construction doesn't seem entirely safe with quoting. While there's no security problem with it, it may have a correctness problem..
... In
userGrantedOnDatabasewhen it creates the privLevel it looks like it doesn't escape the dbname at all, and I guess this means it doesn't need to be escaped, or can't contain back quotes.... In
userGranted'the quser is delimited by single quotes, but it's actually valid to have aUserwith a single quote in their name, and many of the Klingons out there probably depend on that.... In
hashPasswordit looks like the password is also assumed to not contain single quotes.Database is a database name.
I will make the change as soon as I have some time, thanks for the review!
Hello,
I have made a second version.
About reverting
installed, I noticed that it only removes the meta package, which is quite useless. May be I should just drop revertability on this one.The problem of installing a software just to revert a property can also be seen in
Apache.modEnabledfor exemple.Any comments are welcome.
Thanks.
Hello,
I have added a function to restore a database from a backup. It works like the Borg.restored property, it will restore only if the database is empty.
Also included is a fix to wait that the server is available. This is needed when a container is just started for example.