From bbc554bbe33546cfa39fb66f3c0b7888e25183a4 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 15 Feb 2021 19:54:30 +0200 Subject: [PATCH] Use admin user instead of root for galera It's bad practise to adjust root by setting password for it because it might result in broken operations. Also it's not recommended thing to do by MariaDB developers. Thus we change default `galera_root_user` value to `admin` and remove previously created root as the upgrade step. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/775893 Change-Id: I71618be1fee281f399f78058bd83dc3d3c904f74 --- inventory/group_vars/all/infra.yml | 2 +- playbooks/galera-install.yml | 2 +- playbooks/healthcheck-infrastructure.yml | 4 ++++ playbooks/setup-infrastructure.yml | 2 +- releasenotes/notes/galera_root_user-43c292688ddc4f1d.yaml | 5 +++++ 5 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/galera_root_user-43c292688ddc4f1d.yaml diff --git a/inventory/group_vars/all/infra.yml b/inventory/group_vars/all/infra.yml index 2b399b7e07..f238f6c132 100644 --- a/inventory/group_vars/all/infra.yml +++ b/inventory/group_vars/all/infra.yml @@ -33,7 +33,7 @@ rabbitmq_policies: ## Galera options galera_client_package_state: "{{ package_state }}" galera_address: "{{ internal_lb_vip_address }}" -galera_root_user: "root" +galera_root_user: "admin" ## Memcached options memcached_port: 11211 diff --git a/playbooks/galera-install.yml b/playbooks/galera-install.yml index 93e0d8e824..22ce71ac04 100644 --- a/playbooks/galera-install.yml +++ b/playbooks/galera-install.yml @@ -49,7 +49,7 @@ when: "groups['haproxy'] | default([]) | length > 0" - role: "galera_server" vars: - galera_install_client: true + galera_install_client: "{{ (galera_root_user == 'root') }}" galera_install_server: true - role: haproxy_endpoints haproxy_state: enabled diff --git a/playbooks/healthcheck-infrastructure.yml b/playbooks/healthcheck-infrastructure.yml index 326a307b6d..cc9e2dafc4 100644 --- a/playbooks/healthcheck-infrastructure.yml +++ b/playbooks/healthcheck-infrastructure.yml @@ -164,6 +164,7 @@ - name: Wait for cluster ready state command: | mysql -h {{ ansible_host }} \ + -u "{{ galera_root_user | default('root') }}" \ -p"{{ galera_root_password }}" \ -e "show status like 'wsrep_incoming_addresses';" \ --silent \ @@ -181,6 +182,7 @@ - name: Wait for cluster ready state command: | mysql -h {{ ansible_host }} \ + -u "{{ galera_root_user | default('root') }}" \ -p"{{ galera_root_password }}" \ -e "show status like 'wsrep_incoming_addresses';" \ --silent \ @@ -194,6 +196,7 @@ - name: Check cluster local state command: | mysql -h {{ ansible_host }} \ + -u "{{ galera_root_user | default('root') }}" \ -p"{{ galera_root_password }}" \ -e "show status like 'wsrep_local_state_comment';" \ --silent \ @@ -206,6 +209,7 @@ - name: Check cluster evs state command: | mysql -h {{ ansible_host }} \ + -u "{{ galera_root_user | default('root') }}" \ -p"{{ galera_root_password }}" \ -e "show status like 'wsrep_evs_state';" \ --silent \ diff --git a/playbooks/setup-infrastructure.yml b/playbooks/setup-infrastructure.yml index b66a7e44e0..899a765213 100644 --- a/playbooks/setup-infrastructure.yml +++ b/playbooks/setup-infrastructure.yml @@ -16,11 +16,11 @@ - import_playbook: unbound-install.yml - import_playbook: repo-install.yml - import_playbook: haproxy-install.yml -- import_playbook: utility-install.yml - import_playbook: memcached-install.yml - import_playbook: galera-install.yml - import_playbook: qdrouterd-install.yml - import_playbook: rabbitmq-install.yml +- import_playbook: utility-install.yml - import_playbook: etcd-install.yml - import_playbook: ceph-install.yml - import_playbook: ceph-nfs-install.yml diff --git a/releasenotes/notes/galera_root_user-43c292688ddc4f1d.yaml b/releasenotes/notes/galera_root_user-43c292688ddc4f1d.yaml new file mode 100644 index 0000000000..f99cb51ba7 --- /dev/null +++ b/releasenotes/notes/galera_root_user-43c292688ddc4f1d.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Galera privileged username has changed from ``root`` to ``admin``. Old + 'root'@'%' user can be removed after upgrade process.