Merge pull request geerlingguy#188 from geerlingguy/BlackMesh-run_as_non_root

geerlingguy · web-flow · commit 6912cbd0e1c8 · 2016-12-16T11:42:02.000-05:00
More correctly and automatically support running the role as a user other than root
diff --git a/README.md b/README.md
@@ -18,12 +18,16 @@ No special requirements; note that this role requires root access, so either run
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
     mysql_user_home: /root
+    mysql_user_name: root
+    mysql_user_password: root
 
-The home directory inside which Python MySQL settings will be stored, which Ansible will use when connecting to MySQL. This should be the home directory of the user which runs this Ansible role.
+The home directory inside which Python MySQL settings will be stored, which Ansible will use when connecting to MySQL. This should be the home directory of the user which runs this Ansible role. The `mysql_user_name` and `mysql_user_password` can be set if you are running this role under a non-root user account and want to set a non-root user.
 
+    mysql_root_home: /root
+    mysql_root_username: root
     mysql_root_password: root
 
-The MySQL root user account password.
+The MySQL root user account details.
 
     mysql_root_password_update: no
 
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,10 +1,18 @@
 ---
+# Set this to the user ansible is logging in as - should have root
+# or sudo access
 mysql_user_home: /root
+mysql_user_name: root
+mysql_user_password: root
+
+# The default root user installed by mysql - almost always root
+mysql_root_home: /root
 mysql_root_username: root
 mysql_root_password: root
 
 # Set this to `yes` to forcibly update the root password.
 mysql_root_password_update: no
+mysql_user_password_update: no
 
 mysql_enabled_on_startup: yes
 
diff --git a/tasks/secure-installation.yml b/tasks/secure-installation.yml
@@ -4,17 +4,36 @@
   register: mysql_cli_version
   changed_when: false
 
+- name: Ensure default user is present.
+  mysql_user:
+    name: "{{ mysql_user_name }}"
+    host: 'localhost'
+    password: "{{ mysql_user_password }}"
+    priv: '*.*:ALL,GRANT'
+    state: present
+  when: mysql_user_name != mysql_root_username
+
+# Has to be after the password assignment, for idempotency.
+- name: Copy user-my.cnf file with password credentials.
+  template:
+    src: "user-my.cnf.j2"
+    dest: "{{ mysql_user_home }}/.my.cnf"
+    owner: "{{ mysql_user_name }}"
+    mode: 0600
+  when: mysql_user_name != mysql_root_username and (mysql_install_packages | bool or mysql_user_password_update)
+
 - name: Disallow root login remotely
   command: 'mysql -NBe "{{ item }}"'
   with_items:
-    - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
+    - DELETE FROM mysql.user WHERE User='{{ mysql_root_username }}' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
   changed_when: false
 
 - name: Get list of hosts for the root user.
-  command: mysql -NBe 'SELECT Host FROM mysql.user WHERE User = "root" ORDER BY (Host="localhost") ASC'
+  command: mysql -NBe "SELECT Host FROM mysql.user WHERE User = '{{ mysql_root_username }}' ORDER BY (Host='localhost') ASC"
   register: mysql_root_hosts
   changed_when: false
   always_run: true
+  when: mysql_install_packages | bool or mysql_root_password_update
 
 # Note: We do not use mysql_user for this operation, as it doesn't always update
 # the root password correctly. See: https://goo.gl/MSOejW
@@ -29,19 +48,20 @@
 # Set root password for MySQL < 5.7.x.
 - name: Update MySQL root password for localhost root account (< 5.7.x).
   shell: >
-    mysql -u root -NBe
+    mysql -NBe
     'SET PASSWORD FOR "{{ mysql_root_username }}"@"{{ item }}" = PASSWORD("{{ mysql_root_password }}");'
   with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
   when: ((mysql_install_packages | bool) or mysql_root_password_update) and ('5.7.' not in mysql_cli_version.stdout)
 
 # Has to be after the root password assignment, for idempotency.
 - name: Copy .my.cnf file with root password credentials.
   template:
-    src: "user-my.cnf.j2"
-    dest: "{{ mysql_user_home }}/.my.cnf"
+    src: "root-my.cnf.j2"
+    dest: "{{ mysql_root_home }}/.my.cnf"
     owner: root
     group: root
     mode: 0600
+  when: mysql_install_packages | bool or mysql_root_password_update
 
 - name: Get list of hosts for the anonymous user.
   command: mysql -NBe 'SELECT Host FROM mysql.user WHERE User = ""'
diff --git a/templates/root-my.cnf.j2 b/templates/root-my.cnf.j2
@@ -0,0 +1,3 @@
+[client]
+user={{ mysql_root_username }}
+password={{ mysql_root_password }}
diff --git a/templates/user-my.cnf.j2 b/templates/user-my.cnf.j2
@@ -1,3 +1,3 @@
 [client]
-user={{ mysql_root_username }}
-password="{{ mysql_root_password }}"
+user={{ mysql_user_name }}
+password={{ mysql_user_password }}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[client]`
	`2`	`+user={{ mysql_root_username }}`
	`3`	`+password={{ mysql_root_password }}`