mysql_user: replace VALID_PRIVS by get_valid_privs() function (#217)

* mysql_user: replace VALID_PRIVS by get_valid_privs() function * Add EXTRA_PRIVS in case we need to add more privs in the future * Add changelog fragment
2025-04-05 10:10:32 -07:00 · 2021-09-23 11:53:37 +02:00 · 2021-09-23 11:53:37 +02:00 · 0ce1fa1634
commit 0ce1fa1634
parent 4de0e25ea0
4 changed files with 19 additions and 40 deletions
--- a/changelogs/fragments/217-mysql-user-replace-get-valid-privs-from-show-privilegees.yml
+++ b/changelogs/fragments/217-mysql-user-replace-get-valid-privs-from-show-privilegees.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - mysql_user - replace VALID_PRIVS constant by get_valid_privs() function (https://github.com/ansible-collections/community.mysql/pull/217).
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@ -19,41 +19,7 @@ from ansible_collections.community.mysql.plugins.module_utils.mysql import (
 )


-VALID_PRIVS = frozenset(('CREATE', 'DROP', 'GRANT', 'GRANT OPTION',
-                         'LOCK TABLES', 'REFERENCES', 'EVENT', 'ALTER',
-                         'DELETE', 'INDEX', 'INSERT', 'SELECT', 'UPDATE',
-                         'CREATE TEMPORARY TABLES', 'TRIGGER', 'CREATE VIEW',
-                         'SHOW VIEW', 'ALTER ROUTINE', 'CREATE ROUTINE',
-                         'EXECUTE', 'FILE', 'CREATE TABLESPACE', 'CREATE USER',
-                         'PROCESS', 'PROXY', 'RELOAD', 'REPLICATION CLIENT',
-                         'REPLICATION SLAVE', 'SHOW DATABASES', 'SHUTDOWN',
-                         'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE',
-                         'REQUIRESSL',  # Deprecated, to be removed in version 3.0.0
-                         'CREATE ROLE', 'DROP ROLE', 'APPLICATION_PASSWORD_ADMIN',
-                         'AUDIT_ADMIN', 'BACKUP_ADMIN', 'BINLOG_ADMIN',
-                         'BINLOG_ENCRYPTION_ADMIN', 'CLONE_ADMIN', 'CONNECTION_ADMIN',
-                         'ENCRYPTION_KEY_ADMIN', 'FIREWALL_ADMIN', 'FIREWALL_USER',
-                         'GROUP_REPLICATION_ADMIN', 'INNODB_REDO_LOG_ARCHIVE',
-                         'NDB_STORED_USER', 'PERSIST_RO_VARIABLES_ADMIN',
-                         'REPLICATION_APPLIER', 'REPLICATION_SLAVE_ADMIN',
-                         'RESOURCE_GROUP_ADMIN', 'RESOURCE_GROUP_USER',
-                         'ROLE_ADMIN', 'SESSION_VARIABLES_ADMIN', 'SET_USER_ID',
-                         'SYSTEM_USER', 'SYSTEM_VARIABLES_ADMIN', 'SYSTEM_USER',
-                         'TABLE_ENCRYPTION_ADMIN', 'VERSION_TOKEN_ADMIN',
-                         'XA_RECOVER_ADMIN', 'LOAD FROM S3', 'SELECT INTO S3',
-                         'INVOKE LAMBDA',
-                         'ALTER ROUTINE',
-                         'BINLOG ADMIN',
-                         'BINLOG MONITOR',
-                         'BINLOG REPLAY',
-                         'CONNECTION ADMIN',
-                         'READ_ONLY ADMIN',
-                         'REPLICATION MASTER ADMIN',
-                         'REPLICATION SLAVE ADMIN',
-                         'SET USER',
-                         'SHOW_ROUTINE',
-                         'SLAVE MONITOR',
-                         'REPLICA MONITOR',))
+EXTRA_PRIVS = ['ALL', 'ALL PRIVILEGES', 'GRANT', 'REQUIRESSL']


 class InvalidPrivsError(Exception):
@ -141,6 +107,13 @@ def get_tls_requires(cursor, user, host):
        return requires or None


+def get_valid_privs(cursor):
+    cursor.execute("SHOW PRIVILEGES")
+    show_privs = [priv[0].upper() for priv in cursor.fetchall()]
+    all_privs = show_privs + EXTRA_PRIVS
+    return frozenset(all_privs)
+
+
 def get_grants(cursor, user, host):
    cursor.execute("SHOW GRANTS FOR %s@%s", (user, host))
    grants_line = list(filter(lambda x: "ON *.*" in x[0], cursor.fetchall()))[0]
@ -583,7 +556,7 @@ def sort_column_order(statement):
    return '%s(%s)' % (priv_name, ', '.join(columns))


-def privileges_unpack(priv, mode):
+def privileges_unpack(priv, mode, valid_privs):
    """ Take a privileges string, typically passed as a parameter, and unserialize
    it into a dictionary, the same format as privileges_get() above. We have this
    custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
@ -630,8 +603,8 @@ def privileges_unpack(priv, mode):
        output[pieces[0]] = normalize_col_grants(output[pieces[0]])

        new_privs = frozenset(privs)
-        if not new_privs.issubset(VALID_PRIVS):
-            raise InvalidPrivsError('Invalid privileges specified: %s' % new_privs.difference(VALID_PRIVS))
+        if not new_privs.issubset(valid_privs):
+            raise InvalidPrivsError('Invalid privileges specified: %s' % new_privs.difference(valid_privs))

    if '*.*' not in output:
        output['*.*'] = ['USAGE']
--- a/plugins/modules/mysql_role.py
+++ b/plugins/modules/mysql_role.py
@ -250,6 +250,7 @@ from ansible_collections.community.mysql.plugins.module_utils.user import (
    get_mode,
    user_mod,
    privileges_grant,
+    get_valid_privs,
    privileges_unpack,
 )
 from ansible.module_utils._text import to_native
@ -1013,7 +1014,8 @@ def main():
            module.fail_json(msg=to_native(e))

        try:
-            priv = privileges_unpack(priv, mode)
+            valid_privs = get_valid_privs(cursor)
+            priv = privileges_unpack(priv, mode, valid_privs)
        except Exception as e:
            module.fail_json(msg='Invalid privileges string: %s' % to_native(e))

--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@ -318,6 +318,7 @@ from ansible_collections.community.mysql.plugins.module_utils.user import (
    handle_requiressl_in_priv_string,
    InvalidPrivsError,
    limit_resources,
+    get_valid_privs,
    privileges_unpack,
    sanitize_requires,
    user_add,
@ -421,7 +422,8 @@ def main():
        except Exception as e:
            module.fail_json(msg=to_native(e))
        try:
-            priv = privileges_unpack(priv, mode)
+            valid_privs = get_valid_privs(cursor)
+            priv = privileges_unpack(priv, mode, valid_privs)
        except Exception as e:
            module.fail_json(msg="invalid privileges string: %s" % to_native(e))