From 927dbfa88921bf6f0e05a29c217144c912734aa7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 12 Jul 2017 18:03:07 +0200
Subject: [PATCH] MySQL: adapt users on distribution

For Jessie, there is a "debian-sys-maint", that we're using to create "mysqladmin" for root, then delete "root".

For Stretch, the is a "root" without assword, so we create both "mysqladmin" for root and "debian-sys-maint" for Debian scripts, then delete "root".
---
 mysql/tasks/main.yml                        |  6 +-
 mysql/tasks/{users.yml => users_jessie.yml} | 10 +--
 mysql/tasks/users_stretch.yml               | 90 +++++++++++++++++++++
 mysql/tasks/utils.yml                       | 26 ++++--
 4 files changed, 115 insertions(+), 17 deletions(-)
 rename mysql/tasks/{users.yml => users_jessie.yml} (86%)
 create mode 100644 mysql/tasks/users_stretch.yml

diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml
index 273960a9..ca3f0571 100644
--- a/mysql/tasks/main.yml
+++ b/mysql/tasks/main.yml
@@ -2,7 +2,11 @@
 
 - include: packages.yml
 
-- include: users.yml
+- include: users_stretch.yml
+  when: ansible_distribution_release == "stretch"
+
+- include: users_jessie.yml
+  when: ansible_distribution_release == "jessie"
 
 - include: config.yml
 
diff --git a/mysql/tasks/users.yml b/mysql/tasks/users_jessie.yml
similarity index 86%
rename from mysql/tasks/users.yml
rename to mysql/tasks/users_jessie.yml
index 82c9b213..4d225317 100644
--- a/mysql/tasks/users.yml
+++ b/mysql/tasks/users_jessie.yml
@@ -46,14 +46,8 @@
 - name: remove root user
   mysql_user:
     name: root
-    #host_all: yes
-    host: "{{ item }}"
-    config_file: "/etc/mysql/debian.cnf"
+    host_all: yes
+    config_file: "/root/.my.cnf"
     state: absent
-  with_items:
-    - "localhost"
-    - "127.0.0.1"
-    - "::1"
-    - "{{ ansible_hostname }}"
   tags:
   - mysql
diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
new file mode 100644
index 00000000..0a3238eb
--- /dev/null
+++ b/mysql/tasks/users_stretch.yml
@@ -0,0 +1,90 @@
+---
+
+# dependency for mysql_user and mysql_db
+
+- name: python-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python-mysqldb
+    state: present
+  tags:
+  - mysql
+
+- name: create a password for mysqladmin
+  shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'
+  register: mysql_admin_password
+  changed_when: False
+  tags:
+  - mysql
+
+- name: there is a mysqladmin user
+  mysql_user:
+    name: mysqladmin
+    password: '{{ mysql_admin_password.stdout }}'
+    priv: "*.*:ALL,GRANT"
+    update_password: on_create
+    state: present
+    config_file: "/etc/mysql/debian.cnf"
+  register: create_mysqladmin_user
+  tags:
+  - mysql
+
+- name: mysqladmin is the default user
+  ini_file:
+    dest: /root/.my.cnf
+    mode: "0600"
+    section: client
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: yes
+  with_items:
+    - { option: 'user', value: 'mysqladmin' }
+    - { option: password, value: '{{ mysql_admin_password.stdout }}' }
+  when: create_mysqladmin_user.changed
+  tags:
+  - mysql
+
+
+- name: create a password for debian-sys-maint
+  shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'
+  register: mysql_debian_password
+  changed_when: False
+  tags:
+  - mysql
+
+- name: there is a debian-sys-maint user
+  mysql_user:
+    name: debian-sys-maint
+    password: '{{ mysql_debian_password.stdout }}'
+    priv: "*.*:ALL,GRANT"
+    update_password: on_create
+    state: present
+    config_file: "/root/.my.cnf"
+  register: create_debian_user
+  tags:
+  - mysql
+
+- name: store debian-sys-maint user credentials
+  ini_file:
+    dest: /etc/mysql/debian.cnf
+    mode: "0600"
+    section: "{{ item[0] }}"
+    option: '{{ item[1].option }}'
+    value: '{{ item[1].value }}'
+    create: yes
+  with_nested:
+  - [ "client", "mysql_upgrade" ]
+  - [ { option: 'user', value: 'debian-sys-maint' },
+      { option: password, value: '{{ mysql_debian_password.stdout }}' }
+    ]
+  when: create_debian_user.changed
+  tags:
+  - mysql
+
+- name: remove root user
+  mysql_user:
+    name: root
+    host_all: yes
+    config_file: "/root/.my.cnf"
+    state: absent
+  tags:
+  - mysql
diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml
index 58faeee4..262dcd0f 100644
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@@ -1,7 +1,24 @@
 ---
 
+- name: Ensure /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    state: directory
+  tags:
+    - mysql
+
 # mytop
 
+# mytop is installed with MariaB
+# the package has been removed of Stretch repositories
+- name: Is mytop available ?
+  command: which mytop
+  failed_when: False
+  changed_when: False
+  check_mode: no
+  register: which_mytop
+
 - name: Install mytop
   apt:
     name: mytop
@@ -10,6 +27,7 @@
     - packages
     - mytop
     - mysql
+  when: which_mytop.rc != 0
 
 - name: Read debian-sys-maint password
   shell: cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3
@@ -91,14 +109,6 @@
 - include: remount_usr_rw.yml
   when: (mysql_scripts_dir or general_scripts_dir) | search ("/usr")
 
-- name: Ensure /usr/share/scripts exists
-  file:
-    dest: /usr/share/scripts
-    mode: "0700"
-    state: directory
-  tags:
-    - mysql
-
 - name: Install my-add.sh
   copy:
     src: my-add.sh