Skip to content

Support non-root users in MariaDB #602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pfrenssen wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support non-root users in MariaDB #602

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c7cb20d
Test setting a non-root user as the default user in MariaDB.
pfrenssen Jun 6, 2026
0bbb43e
MariaDB 10.4+ authenticates using a unix socket by default.
pfrenssen Jun 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,16 @@ jobs:
playbook: converge-mariadb.yml
- distro: debian13
playbook: converge-mariadb.yml
include:
# Regression test that sets a non-root default user. Targets MariaDB
# 10.4+. Only test a selection of recent distros since it is overkill
# to test this on all versions.
- distro: rockylinux10
playbook: converge-mariadb-nonroot.yml
- distro: ubuntu2604
playbook: converge-mariadb-nonroot.yml
- distro: debian13
playbook: converge-mariadb-nonroot.yml

steps:
- name: Check out the codebase.
Expand Down
37 changes: 37 additions & 0 deletions molecule/default/converge-mariadb-nonroot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
- name: Converge (MariaDB, non-root user)
hosts: all
vars:
# Use a non-root management user to exercise the "Ensure default user is
# present" code path in secure-installation.yml, which requires the role to
# connect to MariaDB as root to create the user.
mysql_user_name: ansible
mysql_user_password: ansible
mysql_user_home: /home/ansible

pre_tasks:
- name: Create the management user that mysql_user_name refers to.
ansible.builtin.user:
name: "{{ mysql_user_name }}"
create_home: true

# On Debian/Ubuntu the role defaults to Oracle MySQL (vars/Debian.yml).
# Override here to install MariaDB instead. RedHat-based distros and newer
# Debian versions already default to MariaDB in their OS-specific vars files
# and are excluded from the CI matrix for this playbook.
- name: Set MariaDB packages for Debian/Ubuntu.
ansible.builtin.set_fact:
mysql_daemon: mariadb
mysql_packages:
- mariadb-server
- mariadb-client
- python3-pymysql
when: ansible_facts.os_family == 'Debian'

roles:
- role: geerlingguy.mysql

post_tasks:
- name: Make sure we can connect to MariaDB via Unix socket.
ansible.builtin.command: "mysql -u root -e 'show databases;'"
changed_when: false
11 changes: 11 additions & 0 deletions tasks/secure-installation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,17 @@
password: "{{ mysql_user_password }}"
priv: '*.*:ALL,GRANT'
state: present
# On MariaDB >= 10.4 on Linux, root@localhost authenticates via the
# unix_socket plugin rather than a password. This task needs to run before
# /root/.my.cnf is written, so there are no stored credentials to fall back
# on. But we can connect via the Unix socket as the OS root user.
# See: https://mariadb.org/authentication-in-mariadb-10-4/
login_unix_socket: >-
{{ mysql_socket
if (ansible_facts.system == 'Linux' and
mysql_daemon == 'mariadb' and
mysql_cli_version is version('10.4', '>='))
else omit }}
no_log: "{{ mysql_hide_passwords }}"
when: mysql_user_name != mysql_root_username

Expand Down
Loading