feat: use socket authentication as default for root

[Al-thi]

This is an attempt to allow the root account to use socket authentication instead of password authentication.

Socket authentication is the new default for both MariaDB and MySQL on modern versions.

The current role configuration causes authentication problems for the root account, cf. issues:

• remove anonymous user in mysql_secure_installation fails with error 1045 #550
• secure-installation fails on RHEL8 at remove test database. #522
• Access denied warnings with MariaDB 10.3 on Ubuntu 20.04 #431
• init scripts & unix_socket authentication broken on Debian 10 #421

I've had authentication problems too, with the following message on every mysq_db and mysql_user tasks:

2024-09-30 19:45:59,235 (item={'name': '[REDACTED]', 'password': '[REDACTED]', 'priv': '[MY_DB_NAME].*:ALL/mysql.*:SELECT,SHOW VIEW/*.*:BINLOG ADMIN'}) => {"ansible_loop_var": "item", "changed": false, "item": {"name": "[REDACTED]", "password": "[REDACTED]", "priv": "[MY_DB_NAME].*:ALL/mysql.*:SELECT,SHOW VIEW/*.*:BINLOG ADMIN"}, "msg": "unable to connect to database, check login_user and login_password are correct or /root/.my.cnf has the credentials. Exception message: (1698, \"Access denied for user 'root'@'localhost'\")"}

As this socket authentication is only effective on recent MySQL (≥ 8.4) / MariaDB (≥ 10.4) versions, this PR also refactors the version parsing by:

• extracting the interesting part of the mysql --version standard output
• using ansible version filter instead of substring detection (with {{ 'something' in my_string }} ansible variable)

Finally, as there was some linting warnings, I also included syntax fixes in the 3 last commits.

Please tell me what you think of this :)
Thank you for your time and your amazing work.
Regards.

[brunick]

Hi @Al-thi , i've had this problem with my newest install as well, but i also got in some trouble trying you branch.

  - name: Run mysql --version
      ansible.builtin.command: 'mysql --version'
      register: mysql_cli_version
      changed_when: false
      check_mode: false

this does not apply to newest mariadb version, as those throw deprecation warning in their response of using mysql instead of mariadb:

mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
mysql from 11.4.4-MariaDB, client 15.2 for Linux (x86_64) using  EditLine wrapper

could you update the script, to check for mysql vs mariadb and use mariadb if installed?
cheers
Edit: this is on Rocky Linux 9.5

[Al-thi]

@brunick Could you run the following command please:

ls -l $(which mysql)

I have seen many different configurations with some mysql binaries being symlinks to mariadb, other with plain mysql binaries which are in fact mariadb .... It's a mess really 😓

EDIT: could you please try the latest version ? It should run mariadb --version instead of mysql --version for rockylinux.

[brunick]

@brunick Could you run the following command please:

ls -l $(which mysql)

I have seen many different configurations with some mysql binaries being symlinks to mariadb, other with plain mysql binaries which are in fact mariadb .... It's a mess really 😓

EDIT: could you please try the latest version ? It should run mariadb --version instead of mysql --version for rockylinux.

Hey @Al-thi,

[root@mysql-server]# ls -l $(which mysql)
lrwxrwxrwx 1 root root 7 30. Okt 18:40 /usr/bin/mysql -> mariadb

[Al-thi]

@brunick did you try the latest version ?

[brunick]

@brunick did you try the latest version ?

not yet, i had to create a workaround to get my server up'n'running

i actually "only" had to add a root user with permissions to connect from 127.0.0.1 with a password.