majic-ansible-roles Changeset

Changeset - aee44319ba2c

Parent rev.

Child rev.

[Not reviewed]

0 4 1

Branko Majic (branko) - 3 years ago 2020-12-23 22:45:22
branko@majic.rs

MAR-168: Drop the Debian system maintenance user if present:

- Drop the user itself from the MySQL database.
- Update the Debian system maintenance configuration file if root is
not specified as the user within.
- Updated tests.
- Updated release notes.
- Updated role reference documentation.

5 files changed with 85 insertions and 0 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/database_server/files/debian.cnf

roles/database_server/molecule/default/tests/test_default.py

roles/database_server/tasks/main.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -40,6 +40,13 @@ upgrade to Python 3.x, dropping support for Python 2.7. @@
     can now login into the database (as the root database user) via
     unix socket authentication.
   * Role will drop the use of Debian system maintenance user
     (``debian-sys-maint``) in favour of using the root account with
     UNIX socket authentication if the database server has not already
     been set-up in that manner. This is the default behaviour starting
     from Debian Stretch, and the ``debian-sys-main`` will be present
     only if the server has been upgraded from older releases.
 * ``ldap_server`` role
   * Parameter ``ldap_server_domain`` is now mandatory.

docs/rolereference.rst

➞

Show inline comments

@@ @@ -2002,6 +2002,10 @@ The role implements the following: @@
 * Configures MariaDB server and client to use *UTF-8* encoding by default.
 * Sets-up the database root user for passwordless login via UNIX
   socket authentication.
 * Drops the ``debian-sys-maint`` database user (which was used in
   Debian Jessie and earlier for maintenance tasks) if it is present,
   and updates the Debian system maintenance configuration file to use
   the root account over unix socket authentication.
 Role dependencies

roles/database_server/files/debian.cnf

➞

Show inline comments

@@ new file 100644 @@
 # Automatically generated for Debian scripts. DO NOT TOUCH!
 [client]
 host     = localhost
 user     = root
 password =
 socket   = /var/run/mysqld/mysqld.sock
 [mysql_upgrade]
 host     = localhost
 user     = root
 password =
 socket   = /var/run/mysqld/mysqld.sock
 basedir  = /usr

roles/database_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -123,3 +123,45 @@ def test_root_can_login_via_unix_socket_only(host): @@
         assert root_logins_with_unix_socket.rc == 0
         assert root_logins_with_unix_socket.stdout.strip() == "root	localhost"
 def test_debian_system_maintenance_user_is_absent(host):
     """
     Tests if the dedicated Debian system maintenance user is absent
     (leftover from Debian Jessie and previous versions).
     """
     with host.sudo():
         debian_system_maintenance_user = host.run("mysql -BNe %s", "select count(*) from mysql.user where user = 'debian-sys-maint'")
         assert debian_system_maintenance_user.rc == 0
         assert debian_system_maintenance_user.stdout.strip() == "0"
 def test_debian_system_maintenance_configuration_file(host):
     """
     Tests if the Debian system maintenance configuration file has been
     set-up properly.
     """
     with host.sudo():
         config = host.file("/etc/mysql/debian.cnf")
         assert config.is_file
         assert config.user == 'root'
         assert config.group == 'root'
         assert config.mode == 0o600
         assert "debian-sys-maint" not in config.content_string
 def test_debian_system_maintenance_configuration_file_can_be_used_for_login(host):
     """
     Tests if the Debian system maintenance configuration file can be
     used for authenticating as the root user.
     """
     with host.sudo():
         login = host.run("mysql --defaults-file=/etc/mysql/debian.cnf -NBe %s", "select current_user();")
         assert login.rc == 0
         assert login.stdout.strip() == "root@localhost"

roles/database_server/tasks/main.yml

➞

Show inline comments

@@ @@ -53,6 +53,26 @@ @@
     path: "/root/.my.cnf"
     state: absent
 - name: Check if Debian system maintenance configuration file uses dedicated user
   command: "grep -q 'user.*=.*root' /etc/mysql/debian.cnf"
   register: debian_maintenance_configuration_uses_root
   failed_when: false
   changed_when: false
 - name: Deploy Debian system maintenance configuration file that uses root account
   copy:
     src: "debian.cnf"
     dest: "/etc/mysql/debian.cnf"
     owner: root
     group: root
     mode: 0600
   when: "debian_maintenance_configuration_uses_root.rc != 0"
 - name: Drop the dedicated Debian system maintenance user
   mysql_user:
     name: "debian-sys-maint"
     state: absent
 - name: Set UTF-8 encoding as default for MariaDB
   copy:
     src: "utf8.cnf"

0 comments (0 inline, 0 general)