mysql_user: Drop support for REQUIRESSL

[Jorge-Rodriguez]

The REQUIRESSL privilege has been superseded by the more complete tls_requires option. The privilege has been kept for backwards compatibility, but in doing so it's introduced extra complexity in the module code and a number of idempotence issues.

With PR #97 we're planning a release with breaking changes. Here I'm proposing using the opportunity to drop the support for the REQUIRESSL privilege in the same breaking release.

[Andersson007]

I don't feel empowered to discuss the topic not being a MySQL user even (would be pretty dangerous to make any breaking decisions based on my suggestions, among other thing)
@bmalynovytch @bmildren @steveteahan what do you think?

[Andersson007]

I don't feel empoyered to discuss the topic not being a MySQL user even (would be pretty dangerous to make any breaking decisions based on my suggestions, among other thing)
@bmalynovytch @bmildren @steveteahan what do you think?

[bmalynovytch]

With PR #97 we're planning a release with breaking changes. Here I'm proposing using the opportunity to drop the support for the REQUIRESSL privilege in the same breaking release.

I doubt most of sysadmins use REQUIRESSL with MySQL / MariaDB, even though it's recommended.
Most of the people impacted with this breaking change should be able to upgrade their configuration, along with the update of the module.

I'm fine with this approach.

[felixfontein]

Besides that it's nice to finally get rid of the "SSL" (and replace it with the correct "TLS"), since TLS is around for almost 22 years now (as successor to the SSL protocols) and the last SSL protocol (SSLv3) has been deprecated almost 6 years ago (after being broken, and not being recommended for many more years). :)

[Jorge-Rodriguez]

I'll try to come up with a deprecation solution where we transparently transform the REQUIRESSL privilege into the appropriate TLS requirement, effectively turning REQUIRESSL into an alias and add a deprecation notice. Then we can drop support on the next release, along with the replication naming issues.

@felixfontein @bmalynovytch what do you guys think?

[Andersson007]

Sounds good to me. If it's a breaking change, I'd drop its support not in 2.0.0 but in 3.0.0 (there are plans to remove the *slave* choices in 3.0.0 from mysql_repolication as well. In 2.0.0 we're replacing slave in messages only, which is not so tough IMO). It's just a suggestion, about the possible schedule for 2.0.0 and 3.0.0, see #31 (comment) (depends on the Ansible major release schedule)

[Jorge-Rodriguez]

I agree with this approach, which is why I suggest to turn the privilege into an alias for version 2.0.0 as this will continue to support the privilege. We could use the aliasing code to raise a deprecation notice, and then in version 3.0.0 we just need to remove the aliasing, without a major code rewrite.

[Andersson007]

Ah, ok, sounds sensible