Parametrize mysql privileges and group options

UdelaRInterior · Sep 12, 2024 · cfba5d9 · cfba5d9
1 parent c8eac97
commit cfba5d9
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -181,7 +181,9 @@ The following variables give some tools to define, using hereabove described scr
   Passwords setup and privileges of this user on the database must be set elsewhere in the playbook. 
 - For Mysql, variables are:
   - `backuppc_db_server_root_pass` should be set to the appropriate value, if the mysql `root` user has a password defined. By default, the variable is undefined. It must be noticed that, in recent mysql/mariadb installation, at least on Debian, installation doesn't ask for and doesn't ramdomly generate a root password. Debian maintainance is no longer done with a specific user and password, but with user root through a unix sock and not a tcp authenticated sock. If the variable remains undefined, mysql tasks will be performed using debian maintenance configuration. 
-  - `backuppc_db_dump_user` and `backuppc_db_dump_user_pass` are the name of the mysql user and the correspondent password, that will be given SELECT access to all databases and will be configured as default in the `.my.cnf` file in the home directory of the `backuppc_client_user` unix user, to alow access from the linux user that executes the backup scripts. Therefore `pre_dump.sh` or `post_dump.sh` scripts will be able to perform any database dump calling a simple mysql command, without specifiyng user or password. 
+  - `backuppc_db_dump_user` and `backuppc_db_dump_user_pass` are the names of the mysql user and the correspondent password, that will be given SELECT access to all databases and will be configured as default in the `.my.cnf` file in the home directory of the `backuppc_client_user` unix user, to allow access from the linux user that executes the backup scripts. Therefore `pre_dump.sh` or `post_dump.sh` scripts will be able to perform any database dump calling a simple mysql command, without specifiyng user or password.
+  - `backuppc_db_dump_user_priv` are the privileges for `backuppc_db_dump_user` to perform backups. For example: `'*.*:PROCESS,SUPER,SELECT` or `*.*:RELOAD,PROCESS,LOCK TABLES,REPLICATION CLIENT`.
+  - `backuppc_db_dump_group_options` are the specific group options mariadb/mysql tools. For example: `client` (default) or `mariabackup`. 
 
 #### Mysql script examples
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -177,6 +177,8 @@ backuppc_db_server_type: ''
 backuppc_db_dump_user: "{{ backuppc_client_user }}"
 backuppc_db_dump_user_pass: 'put_it_from_a_vault'
 backuppc_db_to_dump_name: 'my_app'
+backuppc_db_dump_user_priv: '*.*:PROCESS,SUPER,SELECT'
+backuppc_db_dump_group_options: "client"
 
 ## BackupPC web interface
 

diff --git a/tasks/mysql_config.yml b/tasks/mysql_config.yml
@@ -31,7 +31,7 @@
     user: "{{ backuppc_db_dump_user }}"
     password: "{{ backuppc_db_dump_user_pass }}"
     state: present
-    priv: '*.*:PROCESS,SUPER,SELECT'  
+    priv: "{{ backuppc_db_dump_user_priv }}"
     config_file: "{{ omit if backuppc_db_server_root_pass is defined else backuppc_mysql_credentials_file[(ansible_os_family|lower)] | default(omit) }}"
 
 

diff --git a/templates/etc/mysql/.my.cnf.j2 b/templates/etc/mysql/.my.cnf.j2
@@ -1,3 +1,3 @@
-[client]
+[{{ backuppc_db_dump_group_options }}]
 user={{ backuppc_db_dump_user }}
 password={{ backuppc_db_dump_user_pass }}