Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
do not try to drop roles in mysql hardening
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify). MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case. ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in. Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf This role is shown as a user, it has however a new is_role-flag. MariaDB [(none)]> select user, host, is_role from mysql.user; +-----------------------+-----------+---------+ | User | Host | is_role | +-----------------------+-----------+---------+ | mariadb.sys | localhost | N | | root | localhost | N | | mysql | localhost | N | | PUBLIC | | Y | | monitoring | % | N | | monitoring | localhost | N | | galera_mariadb_backup | % | N | +-----------------------+-----------+---------+ Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails. Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
- Loading branch information