ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-08 19:50:30 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Mysql db unsafe passwd (#428)

Browse source 
* mysql_db: add new parameter unsafe_login_password

* add CI tests

* add changelog fragment
This commit is contained in:
Andrew Klychkov 2020-06-02 09:17:54 +03:00 committed by GitHub
parent f81e562301
commit c2bf9ea9fb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/428-mysql_db_add_unsafe_login_password_param.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- mysql_db - add the ``unsafe_login_password`` parameter (https://github.com/ansible/ansible/issues/63955).

30
plugins/modules/database/mysql/mysql_db.py
View file

@ -113,6 +113,15 @@ options:
required: no required: no
type: bool type: bool
default: no default: no
unsafe_login_password:
description:
- If C(no), the module will safely use a shell-escaped version of the I(login_password) value.
- It makes sense to use C(yes) only if there are special symbols in the value and errors C(Access denied) occur.
- Used only when I(state) is C(import) or C(dump) and I(login_password) is passed, ignored otherwise.
type: bool
default: no
version_added: '2.10'
seealso: seealso:
- module: mysql_info - module: mysql_info
- module: mysql_variables - module: mysql_variables
@ -299,7 +308,8 @@ def db_delete(cursor, db):
def db_dump(module, host, user, password, db_name, target, all_databases, port, def db_dump(module, host, user, password, db_name, target, all_databases, port,
config_file, socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None, config_file, socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None,
single_transaction=None, quick=None, ignore_tables=None, hex_blob=None, single_transaction=None, quick=None, ignore_tables=None, hex_blob=None,
encoding=None, force=False, master_data=0, skip_lock_tables=False, dump_extra_args=None): encoding=None, force=False, master_data=0, skip_lock_tables=False,
dump_extra_args=None, unsafe_password=False):
cmd = module.get_bin_path('mysqldump', True) cmd = module.get_bin_path('mysqldump', True)
# If defined, mysqldump demands --defaults-extra-file be the first option # If defined, mysqldump demands --defaults-extra-file be the first option
if config_file: if config_file:
@ -307,7 +317,10 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,
if user is not None: if user is not None:
cmd += " --user=%s" % shlex_quote(user) cmd += " --user=%s" % shlex_quote(user)
if password is not None: if password is not None:
cmd += " --password=%s" % shlex_quote(password) if not unsafe_password:
cmd += " --password=%s" % shlex_quote(password)
else:
cmd += " --password=%s" % password
if ssl_cert is not None: if ssl_cert is not None:
cmd += " --ssl-cert=%s" % shlex_quote(ssl_cert) cmd += " --ssl-cert=%s" % shlex_quote(ssl_cert)
if ssl_key is not None: if ssl_key is not None:
@ -366,7 +379,7 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,
def db_import(module, host, user, password, db_name, target, all_databases, port, config_file, def db_import(module, host, user, password, db_name, target, all_databases, port, config_file,
socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None, encoding=None, force=False, socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None, encoding=None, force=False,
use_shell=False): use_shell=False, unsafe_password=False):
if not os.path.exists(target): if not os.path.exists(target):
return module.fail_json(msg="target %s does not exist on the host" % target) return module.fail_json(msg="target %s does not exist on the host" % target)
@ -377,7 +390,10 @@ def db_import(module, host, user, password, db_name, target, all_databases, port
if user: if user:
cmd.append("--user=%s" % shlex_quote(user)) cmd.append("--user=%s" % shlex_quote(user))
if password: if password:
cmd.append("--password=%s" % shlex_quote(password)) if not unsafe_password:
cmd.append("--password=%s" % shlex_quote(password))
else:
cmd.append("--password=%s" % password)
if ssl_cert is not None: if ssl_cert is not None:
cmd.append("--ssl-cert=%s" % shlex_quote(ssl_cert)) cmd.append("--ssl-cert=%s" % shlex_quote(ssl_cert))
if ssl_key is not None: if ssl_key is not None:
@ -492,6 +508,7 @@ def main():
skip_lock_tables=dict(type='bool', default=False), skip_lock_tables=dict(type='bool', default=False),
dump_extra_args=dict(type='str'), dump_extra_args=dict(type='str'),
use_shell=dict(type='bool', default=False), use_shell=dict(type='bool', default=False),
unsafe_login_password=dict(type='bool', default=False),
), ),
supports_check_mode=True, supports_check_mode=True,
) )
@ -518,6 +535,7 @@ def main():
connect_timeout = module.params['connect_timeout'] connect_timeout = module.params['connect_timeout']
config_file = module.params['config_file'] config_file = module.params['config_file']
login_password = module.params["login_password"] login_password = module.params["login_password"]
unsafe_login_password = module.params["unsafe_login_password"]
login_user = module.params["login_user"] login_user = module.params["login_user"]
login_host = module.params["login_host"] login_host = module.params["login_host"]
ignore_tables = module.params["ignore_tables"] ignore_tables = module.params["ignore_tables"]
@ -599,7 +617,7 @@ def main():
login_port, config_file, socket, ssl_cert, ssl_key, login_port, config_file, socket, ssl_cert, ssl_key,
ssl_ca, single_transaction, quick, ignore_tables, ssl_ca, single_transaction, quick, ignore_tables,
hex_blob, encoding, force, master_data, skip_lock_tables, hex_blob, encoding, force, master_data, skip_lock_tables,
dump_extra_args) dump_extra_args, unsafe_login_password)
if rc != 0: if rc != 0:
module.fail_json(msg="%s" % stderr) module.fail_json(msg="%s" % stderr)
module.exit_json(changed=True, db=db_name, db_list=db, msg=stdout, module.exit_json(changed=True, db=db_name, db_list=db, msg=stdout,
@ -618,7 +636,7 @@ def main():
all_databases, all_databases,
login_port, config_file, login_port, config_file,
socket, ssl_cert, ssl_key, ssl_ca, socket, ssl_cert, ssl_key, ssl_ca,
encoding, force, use_shell) encoding, force, use_shell, unsafe_login_password)
if rc != 0: if rc != 0:
module.fail_json(msg="%s" % stderr) module.fail_json(msg="%s" % stderr)
module.exit_json(changed=True, db=db_name, db_list=db, msg=stdout, module.exit_json(changed=True, db=db_name, db_list=db, msg=stdout,

18
tests/integration/targets/mysql_db/tasks/state_dump_import.yml
View file

@ -22,6 +22,16 @@
wrong_sql_file="{{tmp_dir}}/wrong.sql" wrong_sql_file="{{tmp_dir}}/wrong.sql"
dump_file1="{{tmp_dir}}/{{file2}}" dump_file1="{{tmp_dir}}/{{file2}}"
dump_file2="{{tmp_dir}}/{{file3}}" dump_file2="{{tmp_dir}}/{{file3}}"
db_user="test"
db_user_unsafe_password="pass!word"
- name: create user for test unsafe_login_password parameter
mysql_user:
name: '{{ db_user }}'
password: '{{ db_user_unsafe_password }}'
priv: '*.*:ALL'
state: present
login_unix_socket: '{{ mysql_socket }}'
- name: state dump/import - create database - name: state dump/import - create database
mysql_db: mysql_db:
@ -58,6 +68,9 @@
- name: state dump without department table. - name: state dump without department table.
mysql_db: mysql_db:
login_user: '{{ db_user }}'
login_password: '{{ db_user_unsafe_password }}'
unsafe_login_password: yes
name: "{{ db_name }}" name: "{{ db_name }}"
state: dump state: dump
target: "{{ db_file_name }}" target: "{{ db_file_name }}"
@ -74,7 +87,7 @@
assert: assert:
that: that:
- result is changed - result is changed
- result.executed_commands[0] is search("mysqldump --force --socket={{ mysql_socket }} {{ db_name }} --skip-lock-tables --quick --ignore-table={{ db_name }}.department --master-data=1 --skip-triggers") - result.executed_commands[0] is search("mysqldump --user={{ db_user }} --password=\*\*\*\*\*\*\*\* --force --socket={{ mysql_socket }} {{ db_name }} --skip-lock-tables --quick --ignore-table={{ db_name }}.department --master-data=1 --skip-triggers")
- name: state dump/import - file name should exist - name: state dump/import - file name should exist
file: name={{ db_file_name }} state=file file: name={{ db_file_name }} state=file
@ -153,6 +166,9 @@
- name: test state=import to restore the database of type {{ format_type }} (expect changed=true) - name: test state=import to restore the database of type {{ format_type }} (expect changed=true)
mysql_db: mysql_db:
login_user: '{{ db_user }}'
login_password: '{{ db_user_unsafe_password }}'
unsafe_login_password: yes
name: '{{ db_name }}' name: '{{ db_name }}'
state: import state: import
target: '{{ db_file_name }}' target: '{{ db_file_name }}'