feat: use socket authentication for root account on linux modern mysq…

…l versions

Since MariaDB 10.4 / MySQL 8.4, the root mysql user is configured to use
`unix_socket` instead of password authentication. No password is privisioned
at MariaDB installation time for the root user.

Using socket authentication is recommended and considered a good security
practice.
cf. https://mariadb.com/kb/en/authentication-from-mariadb-10-4/
cf. https://dev.mysql.com/doc/refman/8.4/en/native-pluggable-authentication.html

Fix geerlingguy#550
Fix geerlingguy#522
Fix geerlingguy#431
Fix geerlingguy#421

molecule/default/converge.yml

@@ -11,6 +11,20 @@
       ansible.builtin.command: "mysql -u root -proot -e 'show databases;'"
       changed_when: false
 
-    - name: Make sure we can connect to MySQL via TCP.
+    - name: Make sure we can connect to MySQL via TCP on old MySQL version.
       ansible.builtin.command: "mysql -u root -proot -h 127.0.0.1 -e 'show databases;'"
+      register: result
       changed_when: false
+      failed_when:
+        - result.rc != 0 and not (
+            ansible_system == "Linux" and (
+              (mysql_cli_version is version('8.0.34', '>=') and mysql_daemon == 'mysql') or
+              (mysql_cli_version is version('10.4', '>=') and mysql_daemon == 'mariadb')
+            )
+          )
+        - result.rc == 0 and (
+            ansible_system == "Linux" and (
+              (mysql_cli_version is version('8.0.34', '>=') and mysql_daemon == 'mysql') or
+              (mysql_cli_version is version('10.4', '>=') and mysql_daemon == 'mariadb')
+            )
+          )

tasks/secure-installation.yml

@@ -38,14 +38,31 @@
   check_mode: false
   when: mysql_install_packages | bool or mysql_root_password_update
 
+# Note: We do not use mysql_user for this operation, as it doesn't always update
+# the root password correctly. See: https://goo.gl/MSOejW
+# Set root password for MySQL >= 8.4 and MariaDB ≥ 10.4
+- name: Update MySQL root authentication via socket for localhost (Linux, MySQL >= 8.4)
+  ansible.builtin.shell: >
+    mysql -u root -NBe
+    "ALTER USER '{{ mysql_root_username }}'@'{{ item }}'
+     IDENTIFIED {{ (mysql_daemon == 'mariadb') | ternary('VIA unix_socket', 'WITH auth_socket') }}; FLUSH PRIVILEGES;"
+  no_log: "{{ mysql_hide_passwords }}"
+  with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
+  when:
+    - (mysql_install_packages | bool) or mysql_root_password_update
+    - ansible_system == "Linux"
+    - (mysql_cli_version is version('8.0.34', '>=') and mysql_daemon == 'mysql') or
+      (mysql_cli_version is version('10.4', '>=') and mysql_daemon == 'mariadb')
+
 # Note: We do not use mysql_user for this operation, as it doesn't always update
 # the root password correctly. See: https://goo.gl/MSOejW
 # Set root password for 5.7.x. ≤ MySQL < 8.4 and MariaDB ≥ 10.4
 - name: Update MySQL root password for localhost root account (5.7.x ≤ MySQL < 8.4)
   ansible.builtin.shell: >
     mysql -u root -NBe
     "ALTER USER '{{ mysql_root_username }}'@'{{ item }}'
-     IDENTIFIED WITH mysql_native_password BY '{{ mysql_root_password }}'; FLUSH PRIVILEGES;"
+     IDENTIFIED {{ (mysql_daemon == 'mariadb') | ternary('VIA', 'WITH') }} mysql_native_password
+     BY '{{ mysql_root_password }}'; FLUSH PRIVILEGES;"
   no_log: "{{ mysql_hide_passwords }}"
   with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
   when:

templates/root-my.cnf.j2

@@ -2,4 +2,11 @@
 
 [client]
 user="{{ mysql_root_username }}"
+{% if ansible_system == "Linux" and (
+        (mysql_cli_version is version('8.4', '>=') and mysql_daemon == 'mysql') or
+        (mysql_cli_version is version('10.4', '>=') and mysql_daemon == 'mariadb')
+      ) %}
+socket={{ mysql_socket }}
+{% else %}
 password="{{ mysql_root_password }}"
+{% endif %}