welcome: please sign in

Diff for "DaemonAdmin/MySQL"

Differences between revisions 13 and 22 (spanning 9 versions)
Revision 13 as of 2007-02-05 14:44:06
Size: 2950
Editor: 213
Comment:
Revision 22 as of 2007-02-10 19:33:18
Size: 4738
Editor: 212
Comment:
Deletions are marked like this. Additions are marked like this.
Line 19: Line 19:
Ok, logically, the steps are: === Logical steps ===
Line 22: Line 22:
 1. Create directory structure with proper permission within the AFS volume  1. Create directory structure with proper permission within the AFS volume (the sole existence of the directory is enough for MySQL to consider it a database, even if just an empty one). NOTE: If we stick to existing behavior on fyodor, requested database name should be prefixed with USERNAME_ .
Line 28: Line 28:
(This is needed only once, for first DB - MySQL or any other):
 1. vos create -server afs -partition a -name db.USERNAME -maxquota 5000
 1. fs mkmount -dir /afs/.hcoop.net/common/databases/USERNAME -vol db.USERNAME -rw
 1. vos release root.cell
 1. fs setacl -dir /afs/hcoop.net/common/databases/USERNAME -acl mysql l
=== Initialize DB space for any DB ===
Line 34: Line 30:
(And this for every mysql DB):
 1. $dir = /afs/hcoop.net/common/databases/USERNAME/mysql
 1. mkdir $dir
 1. fs setacl -dir /afs/hcoop.net/common/databases/USERNAME/mysql -acl mysql l
 1. mkdir $dir/DBNAME || exit # (Must not exist)
 1. chown mysql:mysql $dir/DBNAME
 1. chmod 770 $dir/DBNAME # (Just for visual impression)
 1. ln -sf $dir/DBNAME /var/lib/mysql/DBNAME
 1. fs setacl -dir $dir/DBNAME/ -acl mysql all
 1. mysql -e 'create database DBNAME'
You need to perform this as any user who has AFS admin permissions:

 1. $dir = /afs/hcoop.net/common/.databases/'''USERNAME'''

'''If vos examine db.USER says there's no volume created:'''
 1. vos create -server afs -partition a -name db.'''USERNAME''' -maxquota 5000


'''If db.USER volume is there, but $dir is not present (volume isn't mounted):'''
 1. fs mkmount -dir /afs/hcoop.net/common/.databases/'''USERNAME''' -vol db.'''USERNAME''' -rw
 1. vos release common.databases

'''And this can be done always:'''
 1. fs setacl -dir /afs/hcoop.net/common/databases/'''USERNAME''' -acl databases l
 1. fs setacl -dir /afs/hcoop.net/common/databases/'''USERNAME''' -acl system:backup rl


=== Database creation routine when the db space has been initialized ===

You need to perform this as any user who has AFS admin permissions:

 1. $dir = /afs/hcoop.net/common/databases/'''USERNAME'''/mysql
 1. mkdir -p $dir
 1. fs setacl -dir $dir -acl mysql lid
 1. fs setacl -dir $dir -acl databases none # (keep out other databases, just in case)
 1. fs setacl -dir $dir -acl system:backup rl # (should be inherited from parent dir)
 1. sudo mkdir $dir/'''DBNAME''' || exit # (Must not exist)
 1. sudo chown mysql:mysql $dir/'''DBNAME'''
 1. sudo chmod 770 $dir/'''DBNAME''' # (Just for visual impression)
 1. sudo ln -sf $dir/'''DBNAME''' /var/lib/mysql/'''DBNAME'''
 1. fs setacl -dir $dir/'''DBNAME'''/ -acl mysql all
 1. sudo -H mysql -e 'create database '''DBNAME''''
Line 48: Line 66:
which the user can edit, would be ok. or an appropriate support ticket would be cool.
Line 51: Line 69:
(domtool2): (domtool2), which can be specified as sudo -H mysql -e ".....":
Line 53: Line 71:
 1. CREATE USER 'USERNAME'@'HOSTNAME' IDENTIFIED BY 'PASSWORD';
 1. GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,GRANT OPTION ON '''DBNAME''' TO USERNAME@'%.hcoop.net';
 1. CREATE USER ''''USERNAME''''@''''HOSTNAME'''' IDENTIFIED BY ''''PASSWORD'''';
 1. GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,GRANT OPTION ON '''DBNAME''' TO '''USERNAME'''@'%.hcoop.net';
Line 60: Line 78:
There are two other things related to users, one is There are two other things related to users, one is changing password and the other is deleting users. These simply map to
mysql SET PASSWORD and DROP USER commands, if you go to implement them.

And one last thing; mysql is listening both on localhost and network interfaces (deleuze external IP). Maybe we want to restrict
it to run on just one of them. Or if not, if it will run on both, then the access rule ( USERNAME@'%.hcoop.net' ) has to be duplicated
in a way (for USERNAME@localhost), OR the users will always have to specify mysql host "deleuze" instead of "localhost". Another solution to this is that we don't try to be clever at all, but simply let users make sure the hostname part in their support ticket will match the interface they'll be using to connect.

1. DaemonAdmin/MySQL

Because we wanted to have version 5 of MySQL running on our stable server, we used the [http://dotdeb.org] package. For this reason there should be mirrors from dotdeb.org listed in the file /etc/apt/sources.list on deleuze.

1.1. Configuration details

my.cnf file modified to leave a port open over the network, default is local pipe only.

1.2. Progress

As of Sat Jan 6 12:29:23 EST 2007, the MySQL 5.0 daemon and client libraries have been installed on deleuze. I also installed the mysql-common and mysql-client 5.0 packages on mire which should will allow for users to connect back to the main DB server.

1.3. To Do

dbtool will need to be programmed to store data files in user home directories. It will also need to set up the appropriate GRANT permission on creation of each database to allow a connection from mire or other front-end servers by default.

1.4. Steps to perform

1.4.1. Logical steps

  1. Create user's database volume in AFS, if one isn't there already
  2. Create directory structure with proper permission within the AFS volume (the sole existence of the directory is enough for MySQL to consider it a database, even if just an empty one). NOTE: If we stick to existing behavior on fyodor, requested database name should be prefixed with USERNAME_ .
  3. Create a symbolic link in /var/lib/mysql/ that points to the database
  4. Grant the user rights on the new DB

And, in terms of command line, the steps are:

1.4.2. Initialize DB space for any DB

You need to perform this as any user who has AFS admin permissions:

  1. $dir = /afs/hcoop.net/common/.databases/USERNAME

If vos examine db.USER says there's no volume created:

  1. vos create -server afs -partition a -name db.USERNAME -maxquota 5000

If db.USER volume is there, but $dir is not present (volume isn't mounted):

  1. fs mkmount -dir /afs/hcoop.net/common/.databases/USERNAME -vol db.USERNAME -rw

  2. vos release common.databases

And this can be done always:

  1. fs setacl -dir /afs/hcoop.net/common/databases/USERNAME -acl databases l

  2. fs setacl -dir /afs/hcoop.net/common/databases/USERNAME -acl system:backup rl

1.4.3. Database creation routine when the db space has been initialized

You need to perform this as any user who has AFS admin permissions:

  1. $dir = /afs/hcoop.net/common/databases/USERNAME/mysql

  2. mkdir -p $dir
  3. fs setacl -dir $dir -acl mysql lid
  4. fs setacl -dir $dir -acl databases none # (keep out other databases, just in case)
  5. fs setacl -dir $dir -acl system:backup rl # (should be inherited from parent dir)
  6. sudo mkdir $dir/DBNAME || exit # (Must not exist)

  7. sudo chown mysql:mysql $dir/DBNAME

  8. sudo chmod 770 $dir/DBNAME # (Just for visual impression)

  9. sudo ln -sf $dir/DBNAME /var/lib/mysql/DBNAME

  10. fs setacl -dir $dir/DBNAME/ -acl mysql all

  11. sudo -H mysql -e 'create database DBNAME'

Now, about users and granting permissions to the database, I would like to see users being able create new users and passwords and their privileges (to their databases) themselves. This would allow fine-grained tuning of what service uses which DB username/pw, and what access rights it has. Maybe a list of users/passwords, or an appropriate support ticket would be cool.

So anyway, the procedure for creating a user and giving privileges, executed on behalf of the admin user (domtool2), which can be specified as sudo -H mysql -e ".....":

  1. CREATE USER 'USERNAME'@'HOSTNAME' IDENTIFIED BY 'PASSWORD';

  2. GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,GRANT OPTION ON DBNAME TO USERNAME@'%.hcoop.net';

  3. FLUSH PRIVILEGES;

(Thing to note here: Wildcard '%' can be used in hostname part, for things like '%.hcoop.net'.)

There are two other things related to users, one is changing password and the other is deleting users. These simply map to mysql SET PASSWORD and DROP USER commands, if you go to implement them.

And one last thing; mysql is listening both on localhost and network interfaces (deleuze external IP). Maybe we want to restrict it to run on just one of them. Or if not, if it will run on both, then the access rule ( USERNAME@'%.hcoop.net' ) has to be duplicated in a way (for USERNAME@localhost), OR the users will always have to specify mysql host "deleuze" instead of "localhost". Another solution to this is that we don't try to be clever at all, but simply let users make sure the hostname part in their support ticket will match the interface they'll be using to connect.

DaemonAdmin/MySQL (last edited 2012-04-23 04:19:38 by ClintonEbadi)