[PORTAL] Non-root user for back-end database

Creation of a non-root user for portal backend
mariaDB database. Update portal apps, such as
front-end app and sdk app, to use the non-root
user to access back-end mariaDB database

Issue-ID: OOM-2576
Signed-off-by: SandeepLinux <Sandeep.Shah@att.com>
Change-Id: Ie13c7d190c08a4075058b97b352f4b71bbb0aa47
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>

11 files changed, 81 insertions, 8 deletions

diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
index b5b4e48b97..c8a292f60b 100755
--- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
@@ -16,8 +16,8 @@
 #mysql
 db.driver = org.mariadb.jdbc.Driver
 db.connectionURL = jdbc:mariadb:failover://portal-db:3306/portal
-db.userName =root
-db.password =Aa123456
+db.userName =${PORTAL_DB_USER}
+db.password =${PORTAL_DB_PASSWORD}
 db.hib.dialect = org.hibernate.dialect.MySQLDialect
 db.min_pool_size = 5
 db.max_pool_size = 10
@@ -122,4 +122,4 @@ remote_centralized_system_access = {{.Values.global.aafEnabled}}
 ext_central_access_user_name = aaf_admin@people.osaaf.org
 ext_central_access_password = demo123456!
 ext_central_access_url = {{.Values.aafURL}}
-ext_central_access_user_domain = @people.osaaf.org
\ No newline at end of file
+ext_central_access_user_domain = @people.osaaf.org
diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml
index 0be1fdc91f..d61f876528 100644
--- a/kubernetes/portal/components/portal-app/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml
@@ -61,6 +61,10 @@ spec:
             {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
           - name: CIPHER_ENC_KEY
             {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+          - name: PORTAL_DB_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }}
+          - name: PORTAL_DB_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }}
         volumeMounts:
         - mountPath: /config-input
           name: properties-onapportal-scrubbed
diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml
index 55a7ccca38..bd1ed585ad 100644
--- a/kubernetes/portal/components/portal-app/values.yaml
+++ b/kubernetes/portal/components/portal-app/values.yaml
@@ -43,6 +43,12 @@ secrets:
     externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
     password: '{{ .Values.config.cipherEncKey }}'
     passwordPolicy: required
+  - uid: portal-backend-db
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+    login: '{{ .Values.mariadb.config.backendUserName }}'
+    password: '{{ .Values.mariadb.config.backendPassword }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -120,6 +126,10 @@ service:
 mariadb:
   service:
     name: portal-db
+  config:
+    # backendDbExternalSecret: some secret
+    backendUserName: portal
+    backendPassword: portal
 widget:
   service:
     name: portal-widget
diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
index 28fcee1551..93d2b67cc9 100644
--- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
+++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
@@ -182,6 +182,13 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 			echo
 		done
 
+		file_env 'PORTAL_DB_TABLES'
+		for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g")
+			do
+			    echo "Granting portal user ALL PRIVILEGES for table $i"
+					echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+			done
+
 		if ! kill -s TERM "$pid" || ! wait "$pid"; then
 			echo >&2 'MySQL init process failed.'
 			exit 1
@@ -193,4 +200,4 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 	fi
 fi
 
-exec "$@"
\ No newline at end of file
+exec "$@"
diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
index ec6cc50634..196a2d1ad4 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
@@ -69,6 +69,18 @@ spec:
                 secretKeyRef:
                   name: {{ template "common.fullname" . }}
                   key: db-root-password
+            - name: MYSQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "common.fullname" . }}
+                  key: backend-db-user
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "common.fullname" . }}
+                  key: backend-db-password
+            - name: PORTAL_DB_TABLES
+              value: {{ .Values.config.backend_portal_tables }}
           volumeMounts:
           - mountPath: /var/lib/mysql
             name: mariadb-data
diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
index ad1db77298..4415c5ebd0 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
@@ -26,3 +26,6 @@ metadata:
 type: Opaque
 data:
   db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }}
+stringData:
+  backend-db-user: {{ .Values.config.backendDbUser }}
+  backend-db-password: {{ .Values.config.backendDbPassword }}
diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml
index 3435feb43e..fc1eca881d 100644
--- a/kubernetes/portal/components/portal-mariadb/values.yaml
+++ b/kubernetes/portal/components/portal-mariadb/values.yaml
@@ -35,6 +35,11 @@ mariadbInitImage: "oomk8s/mariadb-client-init:3.0.0"
 config:
   mariadbUser: root
   mariadbRootPassword: Aa123456
+  backendDbUser: portal
+  backendDbPassword: portal
+  #backend_portal_tables is a comma delimited string listing back-end tables
+  #that backendDbUser needs access to, such as to portal and ecomp_sdk tables
+  backend_portal_tables: portal,ecomp_sdk
   #The directory where sql files are found in the projects gerrit repo.
   sqlSourceDirectory: portal/deliveries
   # sdc frontend assignment for port 9443
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
index 2a2ec59d5c..1faed41b85 100755
--- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
@@ -40,8 +40,8 @@ decryption_key				  = AGLDdG4D04BKm2IxIWEr8o==
 
 db.driver = org.mariadb.jdbc.Driver
 db.connectionURL = jdbc:mariadb://portal-db:3306/ecomp_sdk
-db.userName = root
-db.password = Aa123456
+db.userName =${PORTAL_DB_USER}
+db.password =${PORTAL_DB_PASSWORD}
 db.min_pool_size = 5
 db.max_pool_size = 10
 hb.dialect = org.hibernate.dialect.MySQLDialect
@@ -90,4 +90,4 @@ remote_centralized_system_access = {{.Values.global.aafEnabled}}
 ext_central_access_user_name = aaf_admin@people.osaaf.org
 ext_central_access_password = demo123456!
 ext_central_access_url = {{.Values.aafURL}}
-ext_central_access_user_domain = @people.osaaf.org
\ No newline at end of file
+ext_central_access_user_domain = @people.osaaf.org
diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
index f79098fade..fabefde9d3 100644
--- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
@@ -61,6 +61,10 @@ spec:
             {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
           - name: CIPHER_ENC_KEY
             {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+          - name: PORTAL_DB_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }}
+          - name: PORTAL_DB_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }}
         volumeMounts:
         - mountPath: /config-input
           name: properties-onapportalsdk-scrubbed
diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml
index c0f1b58c9a..4056b2aa7a 100644
--- a/kubernetes/portal/components/portal-sdk/values.yaml
+++ b/kubernetes/portal/components/portal-sdk/values.yaml
@@ -39,6 +39,12 @@ secrets:
     login: '{{ .Values.cassandra.config.cassandraUsername }}'
     password: '{{ .Values.cassandra.config.cassandraPassword }}'
     passwordPolicy: required
+  - uid: portal-backend-db
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+    login: '{{ .Values.mariadb.config.backendUserName }}'
+    password: '{{ .Values.mariadb.config.backendPassword }}'
+    passwordPolicy: required
   - uid: cipher-enc-key
     type: password
     externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
@@ -115,6 +121,10 @@ service:
 mariadb:
   service:
     name: portal-db
+  config:
+    # backendDbExternalSecret: some secret
+    backendUserName: portal
+    backendPassword: portal
 widget:
   service:
     name: portal-widget
diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml
index 2a760cdd98..0d4b023b12 100644
--- a/kubernetes/portal/values.yaml
+++ b/kubernetes/portal/values.yaml
@@ -32,12 +32,19 @@ secrets:
     externalSecret: '{{ tpl (default "" .Values.config.casandraCredsExternalSecret) . }}'
     login: '{{ .Values.config.cassandraUsername }}'
     password: '{{ .Values.config.cassandraPassword }}'
+  - uid: portal-backend-db
+    name: &backendDbSecretName '{{ include "common.release" . }}-portal-backend-creds'
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+    login: '{{ .Values.mariadb.config.backendUserName }}'
+    password: '{{ .Values.mariadb.config.backendPassword }}'
+    passwordPolicy: required
 
 config:
   logstashServiceName: log-ls
   logstashPort: 5044
   cassandraUsername: root
-# cassandraPassword: Aa123456
+  cassandraPassword: Aa123456
 # casandraCredsExternalSecret: some secret
 
 portal-mariadb:
@@ -45,6 +52,11 @@ portal-mariadb:
 mariadb:
   service:
     name: portal-db
+  config:
+#   backendDbExternalSecret: some secret
+    backendUserName: portal
+    backendPassword: portal
+
 widget:
   service:
     name: portal-widget
@@ -54,10 +66,16 @@ cassandra:
   config:
     cassandraExternalSecret: *dbSecretName
 portal-app:
+  mariadb:
+    config:
+      backendDbExternalSecret: *backendDbSecretName
   cassandra:
     config:
       cassandraExternalSecret: *dbSecretName
 portal-sdk:
+  mariadb:
+    config:
+      backendDbExternalSecret: *backendDbSecretName
   cassandra:
     config:
       cassandraExternalSecret: *dbSecretName