From 2d75bc19b8ca973c67521e74754b712c816fd2a3 Mon Sep 17 00:00:00 2001 From: "R.Sicart" Date: Thu, 8 Sep 2022 18:26:58 +0200 Subject: [PATCH] Fix privilege changing everytime (#438) * Compare privileges from before and after manipulation * Add unit tests * Fix FIXME integration tests related to this issue * Fix sanity check * Fix assertion when appending privs in mysql_role_initial integration tests * Fix pylint * [ci-skip] Add changelog fragment * Fix: missing fragment file extension * Replace privileges_equal() by a comparison * Fix: sanity pylint * Fix: forgot to remove privileges_equal import from unit tests --- .../fragments/438-fix-privilege-changing-everytime.yml | 7 +++++++ plugins/module_utils/user.py | 5 ++++- .../test_mysql_role/tasks/mysql_role_initial.yml | 10 ++-------- .../targets/test_mysql_user/tasks/test_privs.yml | 4 ---- 4 files changed, 13 insertions(+), 13 deletions(-) create mode 100644 changelogs/fragments/438-fix-privilege-changing-everytime.yml diff --git a/changelogs/fragments/438-fix-privilege-changing-everytime.yml b/changelogs/fragments/438-fix-privilege-changing-everytime.yml new file mode 100644 index 0000000..da7baa8 --- /dev/null +++ b/changelogs/fragments/438-fix-privilege-changing-everytime.yml @@ -0,0 +1,7 @@ +--- +bugfixes: + - mysql_user, mysql_role - mysql/mariadb recent versions translate 'ALL + PRIVILEGES' to a list of specific privileges. That caused a change every time + we modified user privileges. This fix compares privs before and after user + modification to avoid this infinite change + (https://github.com/ansible-collections/community.mysql/issues/77). diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index bc874e1..7def8c7 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -385,7 +385,10 @@ def user_mod(cursor, user, host, host_all, password, encrypted, privileges_revoke(cursor, user, host, db_table, revoke_privs, grant_option, maria_role) if len(grant_privs) > 0: privileges_grant(cursor, user, host, db_table, grant_privs, tls_requires, maria_role) - changed = True + + # after privilege manipulation, compare privileges from before and now + after_priv = privileges_get(cursor, user, host, maria_role) + changed = changed or (curr_priv != after_priv) if role: continue diff --git a/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml b/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml index 8c81a75..36f2418 100644 --- a/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml +++ b/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml @@ -1491,16 +1491,10 @@ priv: '{{ test_db1 }}.{{ test_table }}:SELECT,INSERT/{{ test_db2 }}.{{ test_table }}:DELETE' append_privs: yes - # TODO it must be changed. The module uses user_mod function - # taken from mysql_user module. It's a bug / expected behavior - # because I added a similar tasks to mysql_user tests - # https://github.com/ansible-collections/community.mysql/issues/50#issuecomment-871216825 - # and it's also failed. Create an issue after the module is merged to avoid conflicts. - # TODO Fix this after user_mod is fixed. - - name: Check + - name: Check that there's no change assert: that: - - result is changed + - result is not changed - name: Rewrite privs <<: *task_params diff --git a/tests/integration/targets/test_mysql_user/tasks/test_privs.yml b/tests/integration/targets/test_mysql_user/tasks/test_privs.yml index 3c911a9..b9581f7 100644 --- a/tests/integration/targets/test_mysql_user/tasks/test_privs.yml +++ b/tests/integration/targets/test_mysql_user/tasks/test_privs.yml @@ -179,8 +179,6 @@ assert: that: - result is not changed - when: (install_type == 'mysql' and mysql_version is version('8', '<')) or - (install_type == 'mariadb' and mariadb_version is version('10.5', '<')) - name: remove username mysql_user: @@ -229,8 +227,6 @@ assert: that: - result is not changed - when: (install_type == 'mysql' and mysql_version is version('8', '<')) or - (install_type == 'mariadb') - name: Collect user info by host community.mysql.mysql_info: