Root db access (#68)

configure mysql root user. New variable which is True by default: {{ slurm_manage_mysql_security }}
fgci-org · Nov 10, 2016 · 4ab0539 · 4ab0539
1 parent cf4e967
commit 4ab0539
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 3 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -27,6 +27,12 @@ slurm_service_packages:
 
 admingroup: "admin"
 
+# Overwrite DB_root_password in your vars file if you want to 
+# use a different password for root and slurm user
+DB_root_password: "{{ slurm_mysql_password }}"
+# Disable mysql security tasks by setting slurm_manage_mysql_security to False
+slurm_manage_mysql_security: True
+
 # If the current node is a nis server, make sure the slurm user and
 # group exist
 nis_server: False

diff --git a/tasks/dbd.yml b/tasks/dbd.yml
@@ -22,11 +22,46 @@
   - name: wait for mysql in port 3306 to start
     wait_for: port=3306 delay=10 timeout=60
 
+  - name: Set root sql user password
+    # If .my.cnf already exists, this will cause an mysql-root-password update.
+    # check_implicit_admin means it tries without password first
+    mysql_user:
+      name: root
+      password: "{{ DB_root_password}}"
+      check_implicit_admin: true
+      host: "{{ item }}"
+    with_items:
+       - "::1"
+       - "127.0.0.1"
+       - "localhost"
+    when: slurm_manage_mysql_security
+
+  - name: template .my.cnf
+    template:
+     src: ".my.cnf.j2"
+     dest: "/root/.my.cnf"
+     owner: root
+     group: root
+     mode: 0600
+    when: slurm_manage_mysql_security
+
+  - name: delete anonymous sql server user for localhost
+    mysql_user: user="" state=absent
+    when: slurm_manage_mysql_security
+
+  - name: remove the mysql test database
+    mysql_db: db=test state=absent
+    when: slurm_manage_mysql_security
+
   - name: create slurm acct db
     mysql_db: name=slurm_acct_db state=present
+    when: slurm_manage_mysql_security
 
   - name: create slurm sql user
-    mysql_user: "name=slurm state=present"
+    mysql_user: 
+     name: slurm 
+     state: present 
+     password: "{{ slurm_mysql_password }}"
     register: mysqlslurmuser
     ignore_errors: yes
     tags: debug
@@ -37,11 +72,21 @@
     changed_when: False
 
   - name: ensure slurm sql user has a password and privileges if it does not exist or if it was just added
-    mysql_user: "name=slurm password={{ slurm_mysql_password }} priv=slurm_acct_db.*:ALL state=present update_password=always"
+    mysql_user: 
+     name: slurm
+     password: "{{ slurm_mysql_password }}"
+     priv: "slurm_acct_db.*:ALL"
+     state: present 
+     update_password: always
     when: mysqlslurmuser|failed or mysqlslurmuser|changed
 
   - name: template in slurmdbd.conf
-    template: src=slurmdbd.conf.j2 dest=/etc/slurm/slurmdbd.conf owner=root mode=0640 backup=yes
+    template: 
+     src: slurmdbd.conf.j2 
+     dest: /etc/slurm/slurmdbd.conf 
+     owner: root 
+     mode: 0640 
+     backup: yes
     notify:
       - restart slurmdbd
 

diff --git a/templates/.my.cnf.j2 b/templates/.my.cnf.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[client]
+user=root
+password={{ DB_root_password }}