Introduce login_user and login_password for user and database creation

[szEvEz]

No description provided.

[fauust]

Hi @szEvEz!
Thanks for your PR.

Can you describe why you think that this is necessary? Also, as you can see, this role is tested with the molecule framework, if we introduce this new feature, I would like to add a test for it. Do you have any suggestion?

[szEvEz]

Hi @fauust,

if I set the root users password and disallow socket_authentication, I need to be able to pass username and password for user and database creation.

I can have a look at writing a test for it!

[fauust]

Ok, rephrasing: why won't you use the socket authentication?

I am just curious about the use case since it seems really not practical to me (in the context of Ansible deployment).

(There might be an excellent reason that I am no aware of)...

[szEvEz]

Ah, got it!

From my point of view this is a security concern. I want to set a password for the root user and disallow socket_authentication because I do not want passwordless authentication for the root user.
There is even a script provided by the initial installation process mysql_secure_installation, which configures these settings.

There were also some comments on this here

To clarify: I don't want any local user (not even root) to be able to connect to the database directly using unix_socket without issuing a password. This is because I setup encryption-at-rest and it would not add too much extra security if one can 'root' the machine and easily circumvent this encryption (by just logging in as root using the unix_socket).

Some weaknesses using this mechanism are documented here as well.

With the arguments I've introduced, the end-user can still chose which path to go, which from my perspective is pretty neat - what do you think?

[fauust]

Ok, so, I am in favor of giving as much flexibility to users but I am wondering if there is not a miss-understanding of what unix_socket authentication is.

Am I understanding correctly that in your setup the root user can't read (or write) the MariaDB data directory ( /var/lib/mysql usually). If that's not the case and if the root user has read/write access to the datadir, then adding a password authentication does not add any extra security (it's the contrary actually).

If that's the case then I understand your point and I am curious of some pointers about how you achieve that (encryption-at-rest ?).

[hektor1966]

Another reason for the little change is that it allows you to administer remote databases that are only accessible via the network, e.g. managed services in the cloud. We would like to use the role for MySQL services in Azure, but we cannot because only socket communication is possible.

[fauust]

Hi @hektor1966!
I am willing to consider this again and you are right there might be some use case where this feature makes sense.

Just out of curiosity, you mention "MySQL services in Azure", are you using MariaDB or MySQL ? In the later, I recommend you to use another ansible role that might be more compatible with MySQL. My role is specifically targeting MariaDB and I am not sure that it will work with MySQL (no testing is done with MySQL).

Also, the new feature would call for new testing, so, before making the change I need to implement the corresponding testing which might require more time.

[fauust]

I have checked this again, sorry for the delay.

And I really do not understand the use case. This role is for deploying MariaDB with Ansible. If you don't have ssh access to the instance that will run MariaDB (thus access to the socket), why would you use that role in the first place?

If what you need is configure remote MariaDB instance it seems much simpler to create a playbook that will configure the DB remotely using the community.mysql.mysql_user|database module.

I am still not convinced that this is a relevant change worth considering. I would not have any way to test it and I did not get any response to my previous question. I'll close this unless someone come with good arguments.

[hektor1966]

Thank you for your help and work. We will solve it differently.