mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
0bf528d83b
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify). MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case. ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in. Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf This role is shown as a user, it has however a new is_role-flag. MariaDB [(none)]> select user, host, is_role from mysql.user; +-----------------------+-----------+---------+ | User | Host | is_role | +-----------------------+-----------+---------+ | mariadb.sys | localhost | N | | root | localhost | N | | mysql | localhost | N | | PUBLIC | | Y | | monitoring | % | N | | monitoring | localhost | N | | galera_mariadb_backup | % | N | +-----------------------+-----------+---------+ Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails. Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> |
||
|---|---|---|
| .. | ||
| apache_hardening@41bd7d7e9d | ||
| mysql_hardening | ||
| nginx_hardening | ||
| os_hardening | ||
| ssh_hardening | ||
| windows_hardening@41e8a1893c | ||