From d629e87ac6be31fcaef21c711d4e7620bf42d4ae Mon Sep 17 00:00:00 2001
From: Sylvain as root <sylvain@opensource-expert.com>
Date: Fri, 17 Jun 2016 15:19:02 +0200
Subject: [PATCH] manage root pass fix #120, #124

probably also apply to #104, #106
---
 .gitignore                     |  1 +
 README.rst                     | 18 +++++++++++++++
 mysql/change_root_password.sls | 42 ++++++++++++++++++++++++++++++++++
 mysql/init.sls                 |  3 +++
 mysql/mysql_root_my_cnf.sls    | 10 ++++++++
 mysql/root_my_cnf.sls          | 30 ++++++++++++++++++++++++
 mysql/server.sls               | 25 +++-----------------
 pillar.example                 |  2 ++
 8 files changed, 109 insertions(+), 22 deletions(-)
 create mode 100644 mysql/change_root_password.sls
 create mode 100644 mysql/mysql_root_my_cnf.sls
 create mode 100644 mysql/root_my_cnf.sls

diff --git a/.gitignore b/.gitignore
index f3d74a9a..50d7a764 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 *.pyc
+*.swp
 *~
diff --git a/README.rst b/README.rst
index 2a8bbbc1..7d9ad4db 100644
--- a/README.rst
+++ b/README.rst
@@ -116,3 +116,21 @@ Install the MySQL development libraries and header files.
     your pillar data accordingly.
 
 
+``mysql.root_my_cnf``
+---------------------
+
+Store the root password in clear text in ``/root/.my.cnf`` on the mysql server, chmod 600.
+Used by ``mysql.change_root_password``. You must set ``enable_root_my_cnf`` at True in the pillar.
+
+.. note::
+    Note that this state is included by the mysql.server, and so in mysql meta-state.
+
+
+``mysql.change_root_password``
+------------------------------
+
+Change all user ``root`` with the password field in the pillar ``mysql_root_password``.
+Recreate ``/root/.my.cnf``, with the new password. If call directly don't check ``enable_root_my_cnf`` True
+
+.. note::
+    salt '*' saltutil.refresh_pillar
diff --git a/mysql/change_root_password.sls b/mysql/change_root_password.sls
new file mode 100644
index 00000000..c8668a23
--- /dev/null
+++ b/mysql/change_root_password.sls
@@ -0,0 +1,42 @@
+# vim: set ft=jinja:
+#
+# Mysql - MariaDB formula for changing root password.
+#
+# Note: as root password is required to changed root password for mysql
+#       (without restarting the server with  --skip-grant-tables) this formula require .my.cnf
+#       See: root_my_cnf.sls
+#       Other magical case are not handled.
+#
+# The previous password must be stored in ~/.my.cnf (even empty)
+# See: root_my_cnf.sls
+
+# TODO: DRY this bloc in a common file for every state
+{% from "mysql/defaults.yaml" import rawmap with context %}
+{%- set mysql = salt['grains.filter_by'](rawmap, grain='os', merge=salt['pillar.get']('mysql:lookup')) %}
+{% set os = salt['grains.get']('os', None) %}
+{% set os_family = salt['grains.get']('os_family', None) %}
+{% set mysql_root_user = salt['pillar.get']('mysql:server:root_user', 'root') %}
+{% set mysql_root_password = salt['pillar.get']('mysql:server:root_password', salt['grains.get']('server_id')) %}
+{% set mysql_host = salt['pillar.get']('mysql:server:host', 'localhost') %}
+{% set mysql_salt_user = salt['pillar.get']('mysql:salt_user:salt_user_name', mysql_root_user) %}
+{% set mysql_salt_password = salt['pillar.get']('mysql:salt_user:salt_user_password', mysql_root_password) %}
+
+# DONT do fancy password with double quote, nor starting or ending with space
+{% set escaped_root_pass = mysql_root_password|replace("'", "''") %}
+{% set my_cnf = '/root/.my.cnf' %}
+
+# WARNING: no double quote in the query
+{% set query = """
+UPDATE user SET password = password('" ~ escaped_root_pass ~ "') WHERE user = 'root';
+FLUSH PRIVILEGES;
+""" %}
+change_all_root_pass:
+  cmd.run:
+    - name: mysql --defaults-file={{ my_cnf }} -e "{{ query|replace("\n", '') }}" mysql
+    - unless: grep -q "\<{{ escaped_root_pass }}$" {{ my_cnf }}
+    - require_in:
+      - file: mysql_root_my_cnf
+
+# recreate /root/.my.cnf
+include:
+  - mysql.root_my_cnf
diff --git a/mysql/init.sls b/mysql/init.sls
index bc56035d..19cb2677 100644
--- a/mysql/init.sls
+++ b/mysql/init.sls
@@ -16,6 +16,9 @@ include:
 {% if mysql_dev %}
   - mysql.dev
 {% endif %}
+{% if salt['pillar.get']('mysql:server:enable_root_my_cnf', False) %}
+  - mysql.change_root_password
+{% endif %}
 
 
 {% if (db_states|length() + user_states|length()) > 0 %}
diff --git a/mysql/mysql_root_my_cnf.sls b/mysql/mysql_root_my_cnf.sls
new file mode 100644
index 00000000..1463e042
--- /dev/null
+++ b/mysql/mysql_root_my_cnf.sls
@@ -0,0 +1,10 @@
+# This create a passwordless access for root
+mysql_root_my_cnf:
+  file.managed:
+    - name: /root/.my.cnf
+    - source: salt://mysql/files/root-my.cnf
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 600
+    - create: True
diff --git a/mysql/root_my_cnf.sls b/mysql/root_my_cnf.sls
new file mode 100644
index 00000000..bc50c23f
--- /dev/null
+++ b/mysql/root_my_cnf.sls
@@ -0,0 +1,30 @@
+#
+# This create a passwordless access for root
+# See: https://github.com/saltstack-formulas/mysql-formula/issues/120 for discussion about security
+#
+#
+# Usage: salt-call mysql.root_my_cnf
+
+mysql_root_my_cnf:
+  file.managed:
+    - name: /root/.my.cnf
+    - source: salt://mysql/files/root-my.cnf
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 600
+    - create: True
+
+# This use above config file to store mysql's root password for salt
+mysql_minion_root_my_cnf:
+  file.managed:
+    - name: /etc/salt/minion.d/55-mysql-cnf.conf
+    # use quote for the content
+    - contents:
+      - "mysql.default_file: '/root/.my.cnf'"
+    - user: root
+    - group: root
+    - mode: 600
+    - create: True
+    - require:
+      - file: mysql_root_my_cnf
diff --git a/mysql/server.sls b/mysql/server.sls
index 06199026..20fc3030 100644
--- a/mysql/server.sls
+++ b/mysql/server.sls
@@ -2,6 +2,9 @@
 include:
   - mysql.config
   - mysql.python
+{% if salt['pillar.get']('mysql:server:enable_root_my_cnf', False) %}
+  - mysql.root_my_cnf
+{% endif %}
 
 {% from "mysql/defaults.yaml" import rawmap with context %}
 {%- set mysql = salt['grains.filter_by'](rawmap, grain='os', merge=salt['pillar.get']('mysql:lookup')) %}
@@ -107,25 +110,3 @@ mysql_additional_config:
     - watch_in:
       - service: mysqld
 
-# This create a passwordless access for root
-mysql_root_my_cnf:
-  file.managed:
-    - name: /root/.my.cnf
-    - source: salt://mysql/files/root-my.cnf
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 600
-    - create: True
-
-# This use above config file to store mysql's root password for salt
-mysql_minion_root_my_cnf:
-  file.managed:
-    - name: /etc/salt/minion.d/55-mysql-cnf.conf
-    # use quote for the content
-    - contents:
-      - "mysql.default_file: '/root/.my.cnf'"
-    - user: root
-    - group: root
-    - mode: 600
-    - create: True
diff --git a/pillar.example b/pillar.example
index 335d8766..53107726 100644
--- a/pillar.example
+++ b/pillar.example
@@ -18,6 +18,8 @@ mysql:
     # Use this account for database admin (defaults to root)
     root_user: 'admin'
     # root_password: '' - to have root@localhost without password
+    # enable_root_my_cnf (defaut: False) will store root password into chmod 600 /root/.my.cnf
+    enable_root_my_cnf: True
     root_password: 'somepass'
     root_password_hash: '*13883BDDBE566ECECC0501CDE9B293303116521A'
     user: mysql