From 36d2d030adb16613d1b12a06d73f16104575bce2 Mon Sep 17 00:00:00 2001
From: ptomas-adacis
Date: Tue, 28 Nov 2023 16:09:02 +0100
Subject: [PATCH 1/2] Hide passwords during execution
---
README.md | 6 ++++++
defaults/main.yml | 2 ++
tasks/replication.yml | 3 +++
tasks/secure-installation.yml | 5 +++++
tasks/users.yml | 2 +-
5 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 9f780572..e44ed6b6 100644
--- a/README.md
+++ b/README.md
@@ -166,6 +166,12 @@ Replication settings. Set `mysql_server_id` and `mysql_replication_role` by serv
If the replication master has different IP addresses where you are running ansible and where the mysql replica is running, you can *optionally* specify a `mysql_replication_master_inventory_host` to access the machine (e.g. you run ansible on your local machine, but the mysql master and replica need to communicate on a different network)
+```yaml
+mysql_hide_passwords: false
+```
+
+Do you need to hide tasks' output which contain passwords during the execution ?
+
### Later versions of MySQL on CentOS 7
If you want to install MySQL from the official repository instead of installing the system default MariaDB equivalents, you can add the following `pre_tasks` task in your playbook:
diff --git a/defaults/main.yml b/defaults/main.yml
index 49110da9..97bf8751 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -132,3 +132,5 @@ mysql_replication_master_inventory_host: "{{ mysql_replication_master }}"
# Same keys as `mysql_users` above.
mysql_replication_user: []
+
+mysql_hide_passwords: false
diff --git a/tasks/replication.yml b/tasks/replication.yml
index c1099071..5e835857 100644
--- a/tasks/replication.yml
+++ b/tasks/replication.yml
@@ -6,6 +6,7 @@
password: "{{ mysql_replication_user.password }}"
priv: "{{ mysql_replication_user.priv | default('*.*:REPLICATION SLAVE,REPLICATION CLIENT') }}"
state: present
+ no_log: "{{ mysql_hide_passwords }}"
when:
- mysql_replication_role == 'master'
- mysql_replication_user.name is defined
@@ -17,6 +18,7 @@
mode: getreplica
login_user: "{{ mysql_root_username }}"
login_password: "{{ mysql_root_password }}"
+ no_log: "{{ mysql_hide_passwords }}"
ignore_errors: true
register: slave
when:
@@ -43,6 +45,7 @@
master_password: "{{ mysql_replication_user.password }}"
master_log_file: "{{ master.File }}"
master_log_pos: "{{ master.Position }}"
+ no_log: "{{ mysql_hide_passwords }}"
ignore_errors: true
when:
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Replica is defined and not slave.Is_Replica) or (slave.Is_Slave is not defined and slave.Is_Replica is not defined and slave is failed)
diff --git a/tasks/secure-installation.yml b/tasks/secure-installation.yml
index 22487dbe..eab960b1 100644
--- a/tasks/secure-installation.yml
+++ b/tasks/secure-installation.yml
@@ -6,6 +6,7 @@
password: "{{ mysql_user_password }}"
priv: '*.*:ALL,GRANT'
state: present
+ no_log: "{{ mysql_hide_passwords }}"
when: mysql_user_name != mysql_root_username
# Has to be after the password assignment, for idempotency.
@@ -15,6 +16,7 @@
dest: "{{ mysql_user_home }}/.my.cnf"
owner: "{{ mysql_user_name }}"
mode: 0600
+ no_log: "{{ mysql_hide_passwords }}"
when: >
mysql_user_name != mysql_root_username
and (mysql_install_packages | bool or mysql_user_password_update)
@@ -44,6 +46,7 @@
mysql -u root -NBe
"ALTER USER '{{ mysql_root_username }}'@'{{ item }}'
IDENTIFIED WITH mysql_native_password BY '{{ mysql_root_password }}'; FLUSH PRIVILEGES;"
+ no_log: "{{ mysql_hide_passwords }}"
with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
when: >
((mysql_install_packages | bool) or mysql_root_password_update)
@@ -54,6 +57,7 @@
ansible.builtin.shell: >
mysql -NBe
'SET PASSWORD FOR "{{ mysql_root_username }}"@"{{ item }}" = PASSWORD("{{ mysql_root_password }}"); FLUSH PRIVILEGES;'
+ no_log: "{{ mysql_hide_passwords }}"
with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
when: >
((mysql_install_packages | bool) or mysql_root_password_update)
@@ -67,6 +71,7 @@
owner: root
group: root
mode: 0600
+ no_log: "{{ mysql_hide_passwords }}"
when: mysql_install_packages | bool or mysql_root_password_update
- name: Get list of hosts for the anonymous user.
diff --git a/tasks/users.yml b/tasks/users.yml
index 75265ea4..c5c8d87a 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -9,4 +9,4 @@
append_privs: "{{ item.append_privs | default('no') }}"
encrypted: "{{ item.encrypted | default('no') }}"
with_items: "{{ mysql_users }}"
- no_log: true
+ no_log: "{{ mysql_hide_passwords }}"
From b04a0ca23105e9b410f61a051477e0414be4928a Mon Sep 17 00:00:00 2001
From: ptomas-adacis
Date: Tue, 5 Dec 2023 11:56:28 +0100
Subject: [PATCH 2/2] Workaround for
https://github.com/ansible/ansible/issues/82264
---
tasks/replication.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tasks/replication.yml b/tasks/replication.yml
index 5e835857..bb25959c 100644
--- a/tasks/replication.yml
+++ b/tasks/replication.yml
@@ -26,10 +26,11 @@
- (mysql_replication_master | length) > 0
tags: ['skip_ansible_galaxy']
+# https://github.com/ansible/ansible/issues/82264
- name: Check master replication status.
mysql_replication:
mode: getprimary
- delegate_to: "{{ mysql_replication_master_inventory_host }}"
+ delegate_to: "{{ mysql_replication_master_inventory_host | default(omit, true) }}"
register: master
when:
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Replica is defined and not slave.Is_Replica) or (slave.Is_Slave is not defined and slave.Is_Replica is not defined and slave is failed)