You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
mariadb_server_install'MariaDB Server install'doversion'10.5'setup_repofalsepassword'adminpassword'action[:install,:create]endservice'mariadb'doaction[:start,:enable]endmariadb_server_configuration'MariaDB Server configuration'doversion'10.5'notifies:restart,'service[mariadb]'end# Create the test user with password 'secret'mariadb_user'test_user'dopassword'secret'action:createend# Create the test databasemariadb_database'test_db'doaction:createend# Grant privileges to test usermariadb_user'test_user'dodatabase_name'test_db'privileges[:all]action:grantend
Run Chef Client
Access the database as the test user without the password
vagrant@TEST-debian-11:~$ mysql -h localhost -u test_user
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 47
Server version: 10.5.12-MariaDB-0+deb11u1-log Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
See that it works without a password
Access the database as the test user with the password
vagrant@TEST-debian-11:~$ mysql -hlocalhost -utest_user -p secret
ERROR 1045 (28000): Access denied for user 'test_user'@'localhost'
(using password: YES)
vagrant@TEST-debian-11:~
See that it didn't work.
π Expected behavior
The connection in step 4 should be refused.
The connection in step 6 should succeed.
β Additional context
It seems the password is reset every time when the mariadb_user resource is used to grant a permission. If you repeat the password every time in the code, the recipe will work as excepted. This behavior is unexpected as it doesn't comply with the DRY design pattern (don't repeat yourself) and leads to redundant code. In case of complex database permission scenarios (multiple users with privileges on multiple databases), it is thus likely to omit the password property at the relevant place, leading to an unprotected database.
The modification of the password during account creation action :create should be separated from the database permission actions :grant and :revoke.
The text was updated successfully, but these errors were encountered:
π» Brief Description
When granting privileges to a database for a user, the users password is changed.
π₯ Cookbook version
5.2.3
π©βπ³ Chef-Infra Version
16.16.13
π© Platform details
Debian 11
Steps To Reproduce
Steps to reproduce the behavior:
π Expected behavior
β Additional context
It seems the password is reset every time when the
mariadb_userresource is used to grant a permission. If you repeat the password every time in the code, the recipe will work as excepted. This behavior is unexpected as it doesn't comply with the DRY design pattern (don't repeat yourself) and leads to redundant code. In case of complex database permission scenarios (multiple users with privileges on multiple databases), it is thus likely to omit the password property at the relevant place, leading to an unprotected database.The modification of the password during account creation action
:createshould be separated from the database permission actions:grantand:revoke.The text was updated successfully, but these errors were encountered: