ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-08-26 16:01:45 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

mysql_user: return "password_changed" boolean (true if the user got a new password)

Browse source
This commit is contained in:
Felix Hamme 2022-05-17 12:43:02 +02:00
commit 21604ce58b
3 changed files with 27 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

23
plugins/module_utils/user.py
View file

@ -137,22 +137,24 @@ def user_add(cursor, user, host, host_all, password, encrypted,
tls_requires, check_mode, reuse_existing_password): tls_requires, check_mode, reuse_existing_password):
# we cannot create users without a proper hostname # we cannot create users without a proper hostname
if host_all: if host_all:
return False return {'changed': False, 'password_changed': False}
if check_mode: if check_mode:
return True return {'changed': True, 'password_changed': None}
# Determine what user management method server uses # Determine what user management method server uses
old_user_mgmt = impl.use_old_user_mgmt(cursor) old_user_mgmt = impl.use_old_user_mgmt(cursor)
mogrify = do_not_mogrify_requires if old_user_mgmt else mogrify_requires mogrify = do_not_mogrify_requires if old_user_mgmt else mogrify_requires
used_existing_password = False
if reuse_existing_password: if reuse_existing_password:
existing_auth = get_existing_authentication(cursor, user) existing_auth = get_existing_authentication(cursor, user)
if existing_auth: if existing_auth:
plugin = existing_auth['plugin'] plugin = existing_auth['plugin']
plugin_hash_string = existing_auth['auth_string'] plugin_hash_string = existing_auth['auth_string']
password = None password = None
used_existing_password = True
if password and encrypted: if password and encrypted:
if impl.supports_identified_by_password(cursor): if impl.supports_identified_by_password(cursor):
query_with_args = "CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password) query_with_args = "CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password)
@ -182,7 +184,7 @@ def user_add(cursor, user, host, host_all, password, encrypted,
privileges_grant(cursor, user, host, db_table, priv, tls_requires) privileges_grant(cursor, user, host, db_table, priv, tls_requires)
if tls_requires is not None: if tls_requires is not None:
privileges_grant(cursor, user, host, "*.*", get_grants(cursor, user, host), tls_requires) privileges_grant(cursor, user, host, "*.*", get_grants(cursor, user, host), tls_requires)
return True return {'changed': True, 'password_changed': not used_existing_password}
def is_hash(password): def is_hash(password):
@ -208,6 +210,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
else: else:
hostnames = [host] hostnames = [host]
password_changed = False
for host in hostnames: for host in hostnames:
# Handle clear text and hashed passwords. # Handle clear text and hashed passwords.
if not role: if not role:
@ -252,9 +255,10 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
encrypted_password = cursor.fetchone()[0] encrypted_password = cursor.fetchone()[0]
if current_pass_hash != encrypted_password: if current_pass_hash != encrypted_password:
password_changed = True
msg = "Password updated" msg = "Password updated"
if module.check_mode: if module.check_mode:
return (True, msg) return {'changed': True, 'msg': msg, 'password_changed': password_changed}
if old_user_mgmt: if old_user_mgmt:
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, encrypted_password)) cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, encrypted_password))
msg = "Password updated (old style)" msg = "Password updated (old style)"
@ -306,6 +310,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin) query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)
cursor.execute(*query_with_args) cursor.execute(*query_with_args)
password_changed = True
changed = True changed = True
# Handle privileges # Handle privileges
@ -323,7 +328,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
if user != "root" and "PROXY" not in priv: if user != "root" and "PROXY" not in priv:
msg = "Privileges updated" msg = "Privileges updated"
if module.check_mode: if module.check_mode:
return (True, msg) return {'changed': True, 'msg': msg, 'password_changed': password_changed}
privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_role) privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_role)
changed = True changed = True
@ -334,7 +339,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
if db_table not in curr_priv: if db_table not in curr_priv:
msg = "New privileges granted" msg = "New privileges granted"
if module.check_mode: if module.check_mode:
return (True, msg) return {'changed': True, 'msg': msg, 'password_changed': password_changed}
privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_role) privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_role)
changed = True changed = True
@ -364,7 +369,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
if len(grant_privs) + len(revoke_privs) > 0: if len(grant_privs) + len(revoke_privs) > 0:
msg = "Privileges updated: granted %s, revoked %s" % (grant_privs, revoke_privs) msg = "Privileges updated: granted %s, revoked %s" % (grant_privs, revoke_privs)
if module.check_mode: if module.check_mode:
return (True, msg) return {'changed': True, 'msg': msg, 'password_changed': password_changed}
if len(revoke_privs) > 0: if len(revoke_privs) > 0:
privileges_revoke(cursor, user, host, db_table, revoke_privs, grant_option, maria_role) privileges_revoke(cursor, user, host, db_table, revoke_privs, grant_option, maria_role)
if len(grant_privs) > 0: if len(grant_privs) > 0:
@ -379,7 +384,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
if current_requires != tls_requires: if current_requires != tls_requires:
msg = "TLS requires updated" msg = "TLS requires updated"
if module.check_mode: if module.check_mode:
return (True, msg) return {'changed': True, 'msg': msg, 'password_changed': password_changed}
if not old_user_mgmt: if not old_user_mgmt:
pre_query = "ALTER USER" pre_query = "ALTER USER"
else: else:
@ -395,7 +400,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
cursor.execute(*query_with_args) cursor.execute(*query_with_args)
changed = True changed = True
return (changed, msg) return {'changed': changed, 'msg': msg, 'password_changed': password_changed}
def user_delete(cursor, user, host, host_all, check_mode): def user_delete(cursor, user, host, host_all, check_mode):

3
plugins/modules/mysql_role.py
View file

@ -911,10 +911,11 @@ class Role():
set_default_role_all=set_default_role_all) set_default_role_all=set_default_role_all)
if privs: if privs:
changed, msg = user_mod(self.cursor, self.name, self.host, result = user_mod(self.cursor, self.name, self.host,
None, None, None, None, None, None, None, None, None, None, None, None,
privs, append_privs, subtract_privs, None, privs, append_privs, subtract_privs, None,
self.module, role=True, maria_role=self.is_mariadb) self.module, role=True, maria_role=self.is_mariadb)
changed = result['changed']
if admin: if admin:
self.role_impl.set_admin(admin) self.role_impl.set_admin(admin)

16
plugins/modules/mysql_user.py
View file

@ -447,18 +447,22 @@ def main():
except Exception as e: except Exception as e:
module.fail_json(msg=to_native(e)) module.fail_json(msg=to_native(e))
priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs) priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
password_changed = False
if state == "present": if state == "present":
if user_exists(cursor, user, host, host_all): if user_exists(cursor, user, host, host_all):
try: try:
if update_password == "always": if update_password == "always":
changed, msg = user_mod(cursor, user, host, host_all, password, encrypted, result = user_mod(cursor, user, host, host_all, password, encrypted,
plugin, plugin_hash_string, plugin_auth_string, plugin, plugin_hash_string, plugin_auth_string,
priv, append_privs, subtract_privs, tls_requires, module) priv, append_privs, subtract_privs, tls_requires, module)
else: else:
changed, msg = user_mod(cursor, user, host, host_all, None, encrypted, result = user_mod(cursor, user, host, host_all, None, encrypted,
None, None, None, None, None, None,
priv, append_privs, subtract_privs, tls_requires, module) priv, append_privs, subtract_privs, tls_requires, module)
changed = result['changed']
msg = result['msg']
password_changed = result['password_changed']
except (SQLParseError, InvalidPrivsError, mysql_driver.Error) as e: except (SQLParseError, InvalidPrivsError, mysql_driver.Error) as e:
module.fail_json(msg=to_native(e)) module.fail_json(msg=to_native(e))
@ -469,9 +473,11 @@ def main():
if subtract_privs: if subtract_privs:
priv = None # avoid granting unwanted privileges priv = None # avoid granting unwanted privileges
reuse_existing_password = update_password == 'on_new_username' reuse_existing_password = update_password == 'on_new_username'
changed = user_add(cursor, user, host, host_all, password, encrypted, result = user_add(cursor, user, host, host_all, password, encrypted,
plugin, plugin_hash_string, plugin_auth_string, plugin, plugin_hash_string, plugin_auth_string,
priv, tls_requires, module.check_mode, reuse_existing_password) priv, tls_requires, module.check_mode, reuse_existing_password)
changed = result['changed']
password_changed = result['password_changed']
if changed: if changed:
msg = "User added" msg = "User added"
@ -488,7 +494,7 @@ def main():
else: else:
changed = False changed = False
msg = "User doesn't exist" msg = "User doesn't exist"
module.exit_json(changed=changed, user=user, msg=msg) module.exit_json(changed=changed, user=user, msg=msg, password_changed=password_changed)
if __name__ == '__main__': if __name__ == '__main__':