manage root pass fix saltstack-formulas#120, saltstack-formulas#124

probably also apply to saltstack-formulas#104, saltstack-formulas#106

.gitignore

@@ -1,2 +1,3 @@
 *.pyc
+*.swp
 *~

README.rst

@@ -116,3 +116,21 @@ Install the MySQL development libraries and header files.
     your pillar data accordingly.
 
 
+``mysql.root_my_cnf``
+---------------------
+
+Store the root password in clear text in ``/root/.my.cnf`` on the mysql server, chmod 600.
+Used by ``mysql.change_root_password``. You must set ``enable_root_my_cnf`` at True in the pillar.
+
+.. note::
+    Note that this state is included by the mysql.server, and so in mysql meta-state.
+
+
+``mysql.change_root_password``
+------------------------------
+
+Change all user ``root`` with the password field in the pillar ``mysql_root_password``.
+Recreate ``/root/.my.cnf``, with the new password. If call directly don't check ``enable_root_my_cnf`` True
+
+.. note::
+    salt '*' saltutil.refresh_pillar

mysql/change_root_password.sls

@@ -0,0 +1,42 @@
+# vim: set ft=jinja:
+#
+# Mysql - MariaDB formula for changing root password.
+#
+# Note: as root password is required to changed root password for mysql
+#       (without restarting the server with  --skip-grant-tables) this formula require .my.cnf
+#       See: root_my_cnf.sls
+#       Other magical case are not handled.
+#
+# The previous password must be stored in ~/.my.cnf (even empty)
+# See: root_my_cnf.sls
+
+# TODO: DRY this bloc in a common file for every state
+{% from "mysql/defaults.yaml" import rawmap with context %}
+{%- set mysql = salt['grains.filter_by'](rawmap, grain='os', merge=salt['pillar.get']('mysql:lookup')) %}
+{% set os = salt['grains.get']('os', None) %}
+{% set os_family = salt['grains.get']('os_family', None) %}
+{% set mysql_root_user = salt['pillar.get']('mysql:server:root_user', 'root') %}
+{% set mysql_root_password = salt['pillar.get']('mysql:server:root_password', salt['grains.get']('server_id')) %}
+{% set mysql_host = salt['pillar.get']('mysql:server:host', 'localhost') %}
+{% set mysql_salt_user = salt['pillar.get']('mysql:salt_user:salt_user_name', mysql_root_user) %}
+{% set mysql_salt_password = salt['pillar.get']('mysql:salt_user:salt_user_password', mysql_root_password) %}
+
+# DONT do fancy password with double quote, nor starting or ending with space
+{% set escaped_root_pass = mysql_root_password|replace("'", "''") %}
+{% set my_cnf = '/root/.my.cnf' %}
+
+# WARNING: no double quote in the query
+{% set query = """
+UPDATE user SET password = password('" ~ escaped_root_pass ~ "') WHERE user = 'root';
+FLUSH PRIVILEGES;
+""" %}
+change_all_root_pass:
+  cmd.run:
+    - name: mysql --defaults-file={{ my_cnf }} -e "{{ query|replace("\n", '') }}" mysql
+    - unless: grep -q "\<{{ escaped_root_pass }}$" {{ my_cnf }}
+    - require_in:
+      - file: mysql_root_my_cnf
+
+# recreate /root/.my.cnf
+include:
+  - mysql.root_my_cnf

mysql/init.sls

@@ -16,6 +16,9 @@ include:
 {% if mysql_dev %}
   - mysql.dev
 {% endif %}
+{% if salt['pillar.get']('mysql:server:enable_root_my_cnf', False) %}
+  - mysql.change_root_password
+{% endif %}
 
 
 {% if (db_states|length() + user_states|length()) > 0 %}

mysql/mysql_root_my_cnf.sls

@@ -0,0 +1,10 @@
+# This create a passwordless access for root
+mysql_root_my_cnf:
+  file.managed:
+    - name: /root/.my.cnf
+    - source: salt://mysql/files/root-my.cnf
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 600
+    - create: True

mysql/root_my_cnf.sls

@@ -0,0 +1,30 @@
+#
+# This create a passwordless access for root
+# See: https://github.com/saltstack-formulas/mysql-formula/issues/120 for discussion about security
+#
+#
+# Usage: salt-call mysql.root_my_cnf
+
+mysql_root_my_cnf:
+  file.managed:
+    - name: /root/.my.cnf
+    - source: salt://mysql/files/root-my.cnf
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 600
+    - create: True
+
+# This use above config file to store mysql's root password for salt
+mysql_minion_root_my_cnf:
+  file.managed:
+    - name: /etc/salt/minion.d/55-mysql-cnf.conf
+    # use quote for the content
+    - contents:
+      - "mysql.default_file: '/root/.my.cnf'"
+    - user: root
+    - group: root
+    - mode: 600
+    - create: True
+    - require:
+      - file: mysql_root_my_cnf

mysql/server.sls

@@ -2,6 +2,9 @@
 include:
   - mysql.config
   - mysql.python
+{% if salt['pillar.get']('mysql:server:enable_root_my_cnf', False) %}
+  - mysql.root_my_cnf
+{% endif %}
 
 {% from "mysql/defaults.yaml" import rawmap with context %}
 {%- set mysql = salt['grains.filter_by'](rawmap, grain='os', merge=salt['pillar.get']('mysql:lookup')) %}
@@ -107,25 +110,3 @@ mysql_additional_config:
     - watch_in:
       - service: mysqld
 
-# This create a passwordless access for root
-mysql_root_my_cnf:
-  file.managed:
-    - name: /root/.my.cnf
-    - source: salt://mysql/files/root-my.cnf
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 600
-    - create: True
-
-# This use above config file to store mysql's root password for salt
-mysql_minion_root_my_cnf:
-  file.managed:
-    - name: /etc/salt/minion.d/55-mysql-cnf.conf
-    # use quote for the content
-    - contents:
-      - "mysql.default_file: '/root/.my.cnf'"
-    - user: root
-    - group: root
-    - mode: 600
-    - create: True

pillar.example

@@ -18,6 +18,8 @@ mysql:
     # Use this account for database admin (defaults to root)
     root_user: 'admin'
     # root_password: '' - to have root@localhost without password
+    # enable_root_my_cnf (defaut: False) will store root password into chmod 600 /root/.my.cnf
+    enable_root_my_cnf: True
     root_password: 'somepass'
     root_password_hash: '*13883BDDBE566ECECC0501CDE9B293303116521A'
     user: mysql