Add basic auth to backup endpoint.

Author: AMecea

cmd/mysql-helper/appclone/appclone.go

@@ -18,7 +18,6 @@ package appclone
 
 import (
 	"fmt"
-	"net/http"
 	"os"
 	"os/exec"
 	"strings"
@@ -151,7 +150,7 @@ func cloneFromBucket(initBucket string) error {
 func cloneFromSource(host string) error {
 	glog.Infof("Cloning from node: %s", host)
 
-	resp, err := http.Get(fmt.Sprintf("http://%s:%d%s", host, tb.ServerPort, tb.ServerBackupPath))
+	backupBody, err := tb.RequestABackup(host, tb.ServerBackupPath)
 	if err != nil {
 		return fmt.Errorf("fail to get backup: %s", err)
 	}
@@ -161,7 +160,7 @@ func cloneFromSource(host string) error {
 	// data target dir
 	xbstream := exec.Command("xbstream", "-x", "-C", tb.DataDir)
 
-	xbstream.Stdin = resp.Body
+	xbstream.Stdin = backupBody
 	xbstream.Stderr = os.Stderr
 
 	if err := xbstream.Start(); err != nil {

cmd/mysql-helper/apphelper/server.go

@@ -63,6 +63,11 @@ func (s *server) healthHandle(w http.ResponseWriter, r *http.Request) {
 
 func (s *server) serveBackupHandle(w http.ResponseWriter, r *http.Request) {
 
+	if !s.isAuthenticated(r) {
+		http.Error(w, "Not authenticated!", http.StatusForbidden)
+		return
+	}
+
 	flusher, ok := w.(http.Flusher)
 	if !ok {
 		http.Error(w, "Streamming unsupported!", http.StatusInternalServerError)
@@ -107,3 +112,8 @@ func (s *server) serveBackupHandle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 }
+
+func (s *server) isAuthenticated(r *http.Request) bool {
+	user, pass, ok := r.BasicAuth()
+	return ok && user == tb.GetBackupUser() && pass == tb.GetBackupPass()
+}

cmd/mysql-helper/apptakebackup/apptakebackup.go

@@ -18,7 +18,6 @@ package apptakebackup
 
 import (
 	"fmt"
-	"net/http"
 	"os"
 	"os/exec"
 	"strings"
@@ -39,17 +38,18 @@ func RunTakeBackupCommand(stopCh <-chan struct{}, srcHost, destBucket string) er
 }
 
 func pushBackupFromTo(srcHost, destBucket string) error {
-	resp, err := http.Get(fmt.Sprintf("http://%s:%d%s", srcHost, tb.ServerPort, tb.ServerBackupPath))
+
+	backupBody, err := tb.RequestABackup(srcHost, tb.ServerBackupPath)
 	if err != nil {
-		return fmt.Errorf("fail to get backup: %s", err)
+		return fmt.Errorf("getting backup: %s", err)
 	}
 
 	gzip := exec.Command("gzip", "-c")
 
 	rclone := exec.Command("rclone",
 		fmt.Sprintf("--config=%s", tb.RcloneConfigFile), "rcat", destBucket)
 
-	gzip.Stdin = resp.Body
+	gzip.Stdin = backupBody
 	gzip.Stderr = os.Stderr
 	rclone.Stderr = os.Stderr
 

cmd/mysql-helper/util/util.go

@@ -171,6 +171,16 @@ func GetInitBucket() string {
 	return getEnvValue("INIT_BUCKET_URI")
 }
 
+// GetBackupAccessUser returns the basic auth credentials to access backup
+func GetBackupUser() string {
+	return getEnvValue("MYSQL_BACKUP_USER")
+}
+
+// GetBackupAccessUser returns the basic auth credentials to access backup
+func GetBackupPass() string {
+	return getEnvValue("MYSQL_BACKUP_PASSWORD")
+}
+
 // GetMasterHost returns the master host
 func GetMasterHost() string {
 	orcUri := getOrcUri()
@@ -298,3 +308,24 @@ func MaxClients(h http.Handler, n int) http.Handler {
 		h.ServeHTTP(w, r)
 	})
 }
+
+func RequestABackup(host, path string) (io.Reader, error) {
+	glog.Infof("Initiate a backup from: %s path: %s", host, path)
+
+	req, err := http.NewRequest("GET", fmt.Sprintf("http://%s:%d%s", host, ServerPort, path), nil)
+	if err != nil {
+		return nil, fmt.Errorf("fail to create request: %s", err)
+	}
+
+	// set authentification user and password
+	req.SetBasicAuth(GetBackupUser(), GetBackupPass())
+
+	client := &http.Client{}
+
+	resp, err := client.Do(req)
+	if err != nil || resp.StatusCode != 200 {
+		return nil, fmt.Errorf("fail to get backup: %s, code: %s", err, resp.Status)
+	}
+
+	return resp.Body, nil
+}

pkg/backupfactory/backupfactory.go

@@ -107,6 +107,34 @@ func (f *bFactory) ensurePodSpec(in core.PodSpec) core.PodSpec {
 		f.GetBackupUri(),
 	}
 
+	boolTrue := true
+	in.Containers[0].Env = []core.EnvVar{
+		core.EnvVar{
+			Name: "MYSQL_BACKUP_USER",
+			ValueFrom: &core.EnvVarSource{
+				SecretKeyRef: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: f.cluster.Spec.SecretName,
+					},
+					Key:      "BACKUP_USER",
+					Optional: &boolTrue,
+				},
+			},
+		},
+		core.EnvVar{
+			Name: "MYSQL_BACKUP_PASSWORD",
+			ValueFrom: &core.EnvVarSource{
+				SecretKeyRef: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: f.cluster.Spec.SecretName,
+					},
+					Key:      "BACKUP_PASSWORD",
+					Optional: &boolTrue,
+				},
+			},
+		},
+	}
+
 	if len(f.GetBackupSecretName()) != 0 {
 		in.Containers[0].EnvFrom = []core.EnvFromSource{
 			core.EnvFromSource{

pkg/mysqlcluster/secret.go

@@ -69,6 +69,14 @@ func (f *cFactory) syncClusterSecret() (state string, err error) {
 			in.Data["ORC_TOPOLOGY_USER"] = []byte(f.opt.OrchestratorTopologyUser)
 			in.Data["ORC_TOPOLOGY_PASSWORD"] = []byte(f.opt.OrchestratorTopologyPassword)
 
+			if len(in.Data["BACKUP_USER"]) == 0 {
+				in.Data["BACKUP_USER"] = []byte(util.RandomString(rStrLen))
+			}
+
+			if len(in.Data["BACKUP_PASSWORD"]) == 0 {
+				in.Data["BACKUP_PASSWORD"] = []byte(util.RandomString(rStrLen))
+			}
+
 			hash, err := hashstructure.Hash(in.Data, nil)
 			if err != nil {
 				glog.Errorf("Can't compute the hash for db secret: %s", err)

pkg/mysqlcluster/statefullset.go

@@ -261,6 +261,31 @@ func (f *cFactory) getEnvFor(name string) (env []core.EnvVar) {
 				},
 			},
 		})
+	case containerCloneName:
+		env = append(env, core.EnvVar{
+			Name: "MYSQL_BACKUP_USER",
+			ValueFrom: &core.EnvVarSource{
+				SecretKeyRef: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: f.cluster.Spec.SecretName,
+					},
+					Key:      "BACKUP_USER",
+					Optional: &boolTrue,
+				},
+			},
+		})
+		env = append(env, core.EnvVar{
+			Name: "MYSQL_BACKUP_PASSWORD",
+			ValueFrom: &core.EnvVarSource{
+				SecretKeyRef: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: f.cluster.Spec.SecretName,
+					},
+					Key:      "BACKUP_PASSWORD",
+					Optional: &boolTrue,
+				},
+			},
+		})
 	}
 
 	return