replace password with unix socket authentication for root user #4
Conversation
…uth plugin, ensure that the tasks run for both Debian and RedHat based distros
defaults/main.yml
Outdated
| # mariadb root user password | ||
| database_root_password: '4567' |
There was a problem hiding this comment.
There should be an explanation that this is now only being used for authentication and that this password is not set
There was a problem hiding this comment.
I had already adapted the README but I have added additional context in defaults/main.yml file now
tasks/main.yml
Outdated
| include_vars: "{{ item }}" | ||
| with_first_found: | ||
| - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" | ||
| - "{{ ansible_distribution }}.yml" | ||
| - "{{ ansible_os_family }}.yml" | ||
| tags: always |
There was a problem hiding this comment.
Why this complicated? We know that only the last will ever catch, won't it?
| include_vars: "{{ item }}" | |
| with_first_found: | |
| - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" | |
| - "{{ ansible_distribution }}.yml" | |
| - "{{ ansible_os_family }}.yml" | |
| tags: always | |
| include_vars: "{{ ansible_os_family }}.yml" | |
| tags: always |
There was a problem hiding this comment.
agreed. I had put the others there as a preparation for possible further distribution deviations, but there seem to be no more
tasks/main.yml
Outdated
| ansible.builtin.package: | ||
| name: "{{ item }}" | ||
| state: present | ||
| with_items: "{{ mariadb_packages }}" |
There was a problem hiding this comment.
Shouldn't this also work (and doesn't require a loop):
| ansible.builtin.package: | |
| name: "{{ item }}" | |
| state: present | |
| with_items: "{{ mariadb_packages }}" | |
| ansible.builtin.package: | |
| name: "{{ mariadb_packages }}" | |
| state: present |
As an alternative, you could even use a simple inline switch here.
That way, you wouldn't have to look up somewhere else what will be installed:
- name: Install MariaDB on RedHat Systems
ansible.builtin.package:
name:
- mariadb-server
- mariadb
- python3-{{ 'PyMySQL' if ansible_os_family == 'RedHat' else 'pymysql' }}There was a problem hiding this comment.
Yes, this also works. Not every module accepts lists as parameters so I had used a loop here, but the package module apparently does :) for inline switches I would have to use several because not only the python package name differs and then I can just put it into a variable because we need a distribution distinction anyways
| @@ -39,7 +38,7 @@ | |||
| - name: Configure mariadb | |||
| notify: Restart MariaDB | |||
| ansible.builtin.ini_file: | |||
| dest: /etc/my.cnf.d/opencast.cnf | |||
| dest: "{{ mariadb_configuration_file }}" | |||
There was a problem hiding this comment.
Multiple places to comment on this, but let me make the comment here once.
Why set this to different places on Debian and Red Hat? The previous location should be fine. Setting this to something else will just cause confusion for people upgrading from an older version of this role and I don't see any benefit.
There was a problem hiding this comment.
Because /etc/my.cnf.d as a config inclusion path does not work on Debian and derivatives. The path does not exist by default and mariadb in Debian does not look for it. So if people upgrade from an older role version it hadn't worked anyways before in Debian and derivatives.
|
|
||
| - name: Ensure root user can only connect from the local machine | ||
| community.mysql.mysql_query: |
There was a problem hiding this comment.
Does this matter at all if the next step is to force the root user to use Unix sockets?
There was a problem hiding this comment.
Yes, because even after you have forced the root user to use the unix_socket plugin you'd also want to clean up entries that still refer to remote hosts because after a (accidental) deactivation of the plugin they'd become active/relevant again
This patch fixes the Molecule tests by running the playbooks on LXC containers in GitHub Actions.
This role fails on el9 systems. Setting a socket location fixes the problem.
This patch runs the tests also on el9 and marks the role as being compatible with that version.
This patch fixes the specification for supported `EL` versions which had a typo in the dictionary key.
…uth plugin, ensure that the tasks run for both Debian and RedHat based distros
…r conf file so that it survives package upgrades
Thank you for the review! I have incorporated your feedback now |
There was a problem hiding this comment.
I tested this on two different oparating systems (Debian 12 and CentOS Stream 9) and it seems to work fine, if you adjust the socket location accordingly (see comment). I think this is a good improvement of the role and we should merge this (and sorry again for the delay). Thank you @DanScharon !
| @@ -90,6 +65,8 @@ | |||
| priv: "{{ database_name }}.*:ALL,GRANT" | |||
| login_user: "{{ database_root_user }}" | |||
| login_password: "{{ database_root_password }}" | |||
| check_implicit_admin: true | |||
| login_unix_socket: /run/mysqld/mysqld.sock | |||
There was a problem hiding this comment.
This needs a os-specific variable as well. E.g. on CentOS Stream 9 the defautl socket location is /var/lib/mysql/mysql.sock.
|
|
||
| - name: Delete anonymous user | ||
| community.mysql.mysql_user: | ||
| user: "" | ||
| host: "{{ item }}" | ||
| host_all: yes |
There was a problem hiding this comment.
| host_all: yes | |
| host_all: true |
this pull request implements two things:
authentication via unix socket has been set as the default for the MariaDB user 'root'@'localhost' since MariaDB 10.4.3
Since then there is no need anymore to set a database root user password and it is actually better to not do so because it can have bad side affects, e.g. in Debian/Ubuntu some maintainer scripts rely on this function and also
automysqlbackup. For the latter you would have to store again a password in a cleartext file.For the creation of the opencast user and database it is sufficient to use
becomefor root permissions.database_root_passwordis still left in as optional because some users may provision to an already installed MariaDB which has a database root user password already set.