* do not force type of gatewayports-var
this way it can be a bool or a string. we also now test for it
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* replace yum with dnf
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---------
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify).
MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.
ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.
Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf
This role is shown as a user, it has however a new is_role-flag.
MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User | Host | is_role |
+-----------------------+-----------+---------+
| mariadb.sys | localhost | N |
| root | localhost | N |
| mysql | localhost | N |
| PUBLIC | | Y |
| monitoring | % | N |
| monitoring | localhost | N |
| galera_mariadb_backup | % | N |
+-----------------------+-----------+---------+
Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add check mode to molecule tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* execute tasks in check mode
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix error in check mode on SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use when condition on task
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use rowcount to determine mysql results
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use correct list level
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove json_query
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove intermediate vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add check for count
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* drop condition, since one result must exist
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move rowcount in condition
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* do loop in ansible to report each deleted user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add idempotency check
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* additional tests to verify user deletion
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* actually iterate the whole user list when deleting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix tests for SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* adopt suggestions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Fix molecule tests for EL7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* try to fix tests in centos 7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* try to fix tests in centos 7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: dev-sec CI <hello@dev-sec.io>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
these settings are probably not necessary (geerlingguys images dont have them either)
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add verify-task to check if mysql is running and enabled
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/mysql_hardening/verify_tasks/service.yml
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* Include Debian 11 into Molecule test suites (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix Ansible Lint GitHub Action version (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Update .gitignore
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* mysql_hardening: Use Python 3 as Ansible interpreter (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Note Debian 11 support for os_hardening & nginx_hardening (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix lint issues & Ansible Lint configuration in CI
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Try to fix YAML lint issues, again
Re-ordered YAML comments at the end of `.yamllint` file.
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* rm debian9 from tests, add debian 11 where missing
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix mysql molecule tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
install collection in molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
remove deprecated ubuntu 16.04 from tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
