Skip to content
Snippets Groups Projects
Commit b53d61ad authored by Chad Heuschober's avatar Chad Heuschober
Browse files

Adds meta state and also deals with the default password security issue.

parent e9534ffe
No related branches found
No related tags found
No related merge requests found
......@@ -15,6 +15,10 @@ Available states
.. contents::
:local:
``mysql``
Meta-state that includes all server packages in the correct order.
``mysql.client``
----------------
......@@ -25,13 +29,27 @@ Install the MySQL client package.
Install the MySQL server package and start the service.
Debian OS family supports setting MySQL root password during install via debconf.
Debian OS family supports setting MySQL root password during install via
debconf.
.. note::
If no root password is provided in the pillar, a random one will
be created. As-of Hydrogen, this password uses the Python ``random``
module via ``test.rand_str``. As ``random`` is considered
cryptographically insecure, future formula versions should use the
newly available ``random.get_str`` method.
``mysql.database``
------------------
Create and manage MySQL databases.
``mysql.python``
------------------
Install mysql python bindings.
``mysql.user``
----------------
......
{% from "mysql/map.jinja" import mysql with context %}
{% set mysql_root_pass = salt['pillar.get']('mysql:server:root_password', salt['test.rand_str'](64)) %}
{% set db_states = [] %}
include:
- mysql.python
{% for database in salt['pillar.get']('mysql:database', []) %}
mysql_db_{{ database }}:
{% set state_id = 'mysql_db_' ~ loop.index0 %}
{{ state_id }}:
mysql_database.present:
- name: {{ database }}
- host: localhost
- connection_user: root
- connection_pass: '{{ salt['pillar.get']('mysql:server:root_password', 'somepass') }}'
- connection_pass: '{{ mysql_root_pass }}'
- connection_charset: utf8
{% endfor %}
{% do db_states.append(state_id) %}
{% endfor %}
{% from 'mysql/database.sls' import db_states with context %}
{% from 'mysql/user.sls' import user_states with context %}
{% macro requisites(type, states) %}
{%- for state in states %}
- {{ type }}: {{ state }}
{%- endfor -%}
{% endmacro %}
include:
- mysql.server
- mysql.database
- mysql.user
{% if (db_states|length() + user_states()) > 0 %}
extend:
mysqld:
service:
- require_in:
{{ requisites(db_states) }}
{{ requisites(user_states) }}
{% for state in user_states %}
{{ state }}:
mysql_user:
- require:
sls: mysql.database
{% endfor %}
{% endif %}
{% from "mysql/map.jinja" import mysql with context %}
mysql-python:
mysql_python:
pkg:
- installed
- name: {{ mysql.python }}
{% from "mysql/map.jinja" import mysql with context %}
{% set mysql_root_password = salt['pillar.get']('mysql:server:root_password', 'somepass') %}
{% set os = salt['grains.get']('os', None) %}
{% set os_family = salt['grains.get']('os_family', None) %}
{% if grains['os'] in ['Ubuntu', 'Debian'] %}
mysql-debconf:
{% if 'mysql:server:root_password' in pillar %}
{% set mysql_root_password = pillar['mysql:server:root_password'] %}
{% else %}
mysql_missing_root_password:
test.configurable_test_state:
- name: mysql_missing_root_password
- changes: False
- result: False
- comment: 'MySQL pillar is missing root password data. A random password will be used.'
{% set mysql_root_password = salt['test.rand_str](64) %}
{% endif %}
{% endif %}
{% if os in ['Ubuntu', 'Debian'] %}
mysql_debconf:
debconf.set:
- name: mysql-server
- data:
'mysql-server/root_password': {'type': 'password', 'value': '{{ mysql_root_password }}'}
'mysql-server/root_password_again': {'type': 'password', 'value': '{{ mysql_root_password }}'}
'mysql-server/start_on_boot': {'type': 'boolean', 'value': 'true'}
{% elif grains['os'] in ['CentOS'] %}
mysql-root-password:
cmd:
- run
- require_in:
- pkg: mysqld
{% if 'mysql:server:root_password' not in pillar %}
- require:
- test: mysql_missing_root_password
{% endif %}
{% elif os == 'CentOS' %}
mysql_root_password:
cmd.run:
- name: mysqladmin --user root password '{{ mysql_root_password|replace("'", "'\"'\"'") }}'
- unless: mysql --user root --password='{{ mysql_root_password|replace("'", "'\"'\"'") }}' --execute="SELECT 1;"
- require:
- service: mysqld
{% if 'mysql:server:root_password' not in pillar %}
- test: mysql_missing_root_password
{% endif %}
{% for host in ['localhost', grains['fqdn']] %}
mysql-delete-anonymous-user-{{ host }}:
{% for host in ['localhost', salt['grains.get']('fqdn')] %}
mysql_delete_anonymous_user_{{ host }}:
mysql_user:
- absent
- host: {{ host }}
......@@ -28,47 +52,37 @@ mysql-delete-anonymous-user-{{ host }}:
- connection_pass: {{ mysql_root_password }}
- require:
- service: mysqld
- pkg: mysql-python
- pkg: mysql_python
{%- if mysql_root_password %}
- cmd: mysql-root-password
- cmd: mysql_root_password
{%- endif %}
{% endfor %}
{% endif %}
mysqld:
pkg:
- installed
pkg.installed:
- name: {{ mysql.server }}
{% if grains['os'] in ['Ubuntu', 'Debian'] %}
{% if os in ['Ubuntu', 'Debian'] %}
- require:
- debconf: mysql-debconf
- debconf: mysql_debconf
{% endif %}
service:
- running
service.running:
- name: {{ mysql.service }}
- enable: True
- watch:
- pkg: mysqld
{% if grains['os'] in ['Ubuntu', 'Debian', 'Gentoo', 'CentOS'] %}
my.cnf:
mysql_config:
file.managed:
- name: {{ mysql.config }}
- source: salt://mysql/files/{{ grains['os'] }}-my.cnf
- user: root
- group: root
- mode: 644
- template: jinja
- watch_in:
- service: mysqld
{% endif %}
{% if grains['os'] in 'FreeBSD' %}
my.cnf:
file.managed:
- name: {{ mysql.config }}
{% if os in ['Ubuntu', 'Debian', 'Gentoo', 'CentOS'] %}
- source: salt://mysql/files/{{ os }}-my.cnf
- user: root
- group: root
- mode: 644
{% elif os == 'FreeBSD' %}
- source: salt://mysql/files/my-{{ mysql.mysql_size }}.cnf
- template: jinja
- watch_in:
- service: mysqld
{% endif %}
{% from "mysql/map.jinja" import mysql with context %}
{% set user_states = [] %}
include:
- mysql.python
{% for user in salt['pillar.get']('mysql:user', []) %}
mysql_user_{{ user['name'] }}:
{% set state_id = 'mysql_user_' ~ loop.index0 %}
{{ state_id }}:
mysql_user.present:
- name: {{ user['name'] }}
- host: {{ user['host'] }}
......@@ -19,10 +22,9 @@ mysql_user_{{ user['name'] }}:
- connection_charset: utf8
{% for db in user['databases'] %}
{% set name = user['name'] ~ '_' ~ db['database'] %}
mysql_user_{{ name }}:
{{ state_id ~ '_' ~ loop.index0 }}:
mysql_grants.present:
- name: {{ name }}
- name: {{ user['name'] ~ '_' ~ db['database'] }}
- grant: {{db['grants']|join(",")}}
- database: {{ db['database'] }}.*
- user: {{ user['name'] }}
......@@ -35,6 +37,7 @@ mysql_user_{{ name }}:
- mysql_user: {{ user['name'] }}
{% endfor %}
{% do user_states.append(state_id) %}
{% endfor %}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment