Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 01:04:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

do not try to drop roles in mysql hardening

Browse source 
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify).

    MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.

    ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.

Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf

This role is shown as a user, it has however a new is_role-flag.

MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User                  | Host      | is_role |
+-----------------------+-----------+---------+
| mariadb.sys           | localhost | N       |
| root                  | localhost | N       |
| mysql                 | localhost | N       |
| PUBLIC                |           | Y       |
| monitoring            | %         | N       |
| monitoring            | localhost | N       |
| galera_mariadb_backup | %         | N       |
+-----------------------+-----------+---------+

Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
This commit is contained in:
Sebastian Gumprich 2023-03-08 08:36:09 +01:00 committed by Martin Schurz
parent cd572de55a
commit 0bf528d83b
2 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
molecule/mysql_hardening/prepare_tasks/mysql_users.yml
View file

@ -12,4 +12,5 @@
- "CREATE USER 'user'@'192.168.0.2' IDENTIFIED BY 'keep';"
- "CREATE USER 'user'@'keep' IDENTIFIED BY 'keep';"
- "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
- "CREATE ROLE 'keep';"
login_unix_socket: "{{ login_unix_socket | default(omit) }}"

6
roles/mysql_hardening/tasks/mysql_secure_installation.yml
View file

@ -55,7 +55,8 @@
OR authentication_string="")
AND USER NOT IN ('mysql.sys',
'mysqlxsys',
'mariadb.sys');
'mariadb.sys')
AND IS_ROLE='N';
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_users_wo_passwords_or_auth_string
check_mode: false
@ -75,7 +76,8 @@
OR authentication_string="")
AND USER NOT IN ('mysql.sys',
'mysqlxsys',
'mariadb.sys');
'mariadb.sys')
AND IS_ROLE='N';
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_users_wo_passwords
check_mode: false