[PORTAL] Non-root user for back-end database

Creation of a non-root user for portal backend
mariaDB database. Update portal apps, such as
front-end app and sdk app, to use the non-root
user to access back-end mariaDB database

Issue-ID: OOM-2576
Signed-off-by: SandeepLinux <Sandeep.Shah@att.com>
Change-Id: Ie13c7d190c08a4075058b97b352f4b71bbb0aa47
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>

4 files changed, 28 insertions, 1 deletions

diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
index 28fcee1551..93d2b67cc9 100644
--- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
+++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
@@ -182,6 +182,13 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 			echo
 		done
 
+		file_env 'PORTAL_DB_TABLES'
+		for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g")
+			do
+			    echo "Granting portal user ALL PRIVILEGES for table $i"
+					echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+			done
+
 		if ! kill -s TERM "$pid" || ! wait "$pid"; then
 			echo >&2 'MySQL init process failed.'
 			exit 1
@@ -193,4 +200,4 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 	fi
 fi
 
-exec "$@"
\ No newline at end of file
+exec "$@"
diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
index ec6cc50634..196a2d1ad4 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
@@ -69,6 +69,18 @@ spec:
                 secretKeyRef:
                   name: {{ template "common.fullname" . }}
                   key: db-root-password
+            - name: MYSQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "common.fullname" . }}
+                  key: backend-db-user
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "common.fullname" . }}
+                  key: backend-db-password
+            - name: PORTAL_DB_TABLES
+              value: {{ .Values.config.backend_portal_tables }}
           volumeMounts:
           - mountPath: /var/lib/mysql
             name: mariadb-data
diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
index ad1db77298..4415c5ebd0 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
@@ -26,3 +26,6 @@ metadata:
 type: Opaque
 data:
   db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }}
+stringData:
+  backend-db-user: {{ .Values.config.backendDbUser }}
+  backend-db-password: {{ .Values.config.backendDbPassword }}
diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml
index 3435feb43e..fc1eca881d 100644
--- a/kubernetes/portal/components/portal-mariadb/values.yaml
+++ b/kubernetes/portal/components/portal-mariadb/values.yaml
@@ -35,6 +35,11 @@ mariadbInitImage: "oomk8s/mariadb-client-init:3.0.0"
 config:
   mariadbUser: root
   mariadbRootPassword: Aa123456
+  backendDbUser: portal
+  backendDbPassword: portal
+  #backend_portal_tables is a comma delimited string listing back-end tables
+  #that backendDbUser needs access to, such as to portal and ecomp_sdk tables
+  backend_portal_tables: portal,ecomp_sdk
   #The directory where sql files are found in the projects gerrit repo.
   sqlSourceDirectory: portal/deliveries
   # sdc frontend assignment for port 9443