diff --git a/plugins/module_utils/implementations/mysql/hash.py b/plugins/module_utils/implementations/mysql/hash.py index 82a6d9f..c9b515f 100644 --- a/plugins/module_utils/implementations/mysql/hash.py +++ b/plugins/module_utils/implementations/mysql/hash.py @@ -106,7 +106,8 @@ def _sha256_digest(key, salt, loops): def mysql_sha256_password_hash_hex(password, salt): """Return a MySQL compatible caching_sha2_password hash in hex format.""" - assert len(salt) == 20, "Salt must be 20 characters long." + if len(salt) != 20: + raise ValueError("Salt must be 20 characters long.") count = 5 iteration = 1000 * count diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index 89cda33..074ece4 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -191,7 +191,7 @@ def user_add(cursor, user, host, host_all, password, encrypted, generated_hash_string = mysql_sha256_password_hash_hex(password=plugin_auth_string, salt=salt) else: module.fail_json(msg="salt not handled for %s authentication plugin" % plugin) - query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, generated_hash_string) + query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s AS 0x%s", (user, host, plugin, generated_hash_string) else: query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string) elif plugin: @@ -372,7 +372,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted, generated_hash_string = mysql_sha256_password_hash_hex(password=plugin_auth_string, salt=salt) else: module.fail_json(msg="salt not handled for %s authentication plugin" % plugin) - query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, generated_hash_string) + query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s AS 0x%s", (user, host, plugin, generated_hash_string) else: query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string) else: diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py index f3b20d3..481f1f0 100644 --- a/plugins/modules/mysql_user.py +++ b/plugins/modules/mysql_user.py @@ -144,9 +144,9 @@ options: version_added: '0.1.0' salt: description: - - Salt used to generate password hash. + - Salt used to generate password hash from I(plugin_auth_string). - Salt length must be 20 characters. - - I(plugin) must be equal to ``caching_sha2_password`` or ``sha256_password`` and I(plugin_auth_string) defined. + - Salt only support ``caching_sha2_password`` or ``sha256_password`` authentication I(plugin). type: str version_added: '3.10.0' resource_limits: @@ -377,6 +377,13 @@ EXAMPLES = r''' priv: '*.*:ALL' state: present +- name: Create user 'bob' authenticated with plugin 'caching_sha2_password' and static salt + community.mysql.mysql_user: + name: bob + plugin: caching_sha2_password + plugin_auth_string: password + salt: 1234567890abcdefghij + - name: Limit bob's resources to 10 queries per hour and 5 connections per hour community.mysql.mysql_user: name: bob @@ -509,8 +516,11 @@ def main(): module.fail_json(msg="password_expire_interval value \ should be positive number") - if salt and plugin not in ['caching_sha2_password', 'sha256_password']: - module.fail_json(msg="salt requires caching_sha2_password or sha256_password plugin") + if salt: + if len(salt) != 20: + module.fail_json(msg="Salt must be 20 characters long") + if plugin not in ['caching_sha2_password', 'sha256_password']: + module.fail_json(msg="salt requires caching_sha2_password or sha256_password plugin") cursor = None try: