ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-04-22 10:21:29 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

mysql_user: Fixed change detection with append_privs (#69)

Browse source 
Prior to this change, mysql_user with append_privs would attempt to make
a change even if the current privileges were a superset of the new
privileges (shouldn't require any action).
This commit is contained in:
Steve Teahan 2020-12-12 02:08:44 -05:00 committed by Steve Teahan
parent d309d5af2d
commit 3e6ebe6b4a
4 changed files with 93 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
plugins/modules/mysql_user.py
View file

@ -665,7 +665,14 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
# and in the new privileges, then we need to see if there's a difference. # and in the new privileges, then we need to see if there's a difference.
db_table_intersect = set(new_priv.keys()) & set(curr_priv.keys()) db_table_intersect = set(new_priv.keys()) & set(curr_priv.keys())
for db_table in db_table_intersect: for db_table in db_table_intersect:
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
# If appending privileges, only the set difference between new privileges and current privileges matter.
# The symmetric difference isn't relevant for append because existing privileges will not be revoked.
if append_privs:
priv_diff = set(new_priv[db_table]) - set(curr_priv[db_table])
else:
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
if len(priv_diff) > 0: if len(priv_diff) > 0:
msg = "Privileges updated" msg = "Privileges updated"
if module.check_mode: if module.check_mode:

2
tests/integration/targets/test_mysql_user/defaults/main.yml
View file

@ -9,10 +9,12 @@ db_name: 'data'
user_name_1: 'db_user1' user_name_1: 'db_user1'
user_name_2: 'db_user2' user_name_2: 'db_user2'
user_name_3: 'db_user3' user_name_3: 'db_user3'
user_name_4: 'db_user4'
user_password_1: 'gadfFDSdtTU^Sdfuj' user_password_1: 'gadfFDSdtTU^Sdfuj'
user_password_2: 'jkFKUdfhdso78yi&td' user_password_2: 'jkFKUdfhdso78yi&td'
user_password_3: 'jkFKUdfhdso78yi&tk' user_password_3: 'jkFKUdfhdso78yi&tk'
user_password_4: 's2R#7pLV31!ZJrXPa3'
root_password: 'zevuR6oPh7' root_password: 'zevuR6oPh7'

4
tests/integration/targets/test_mysql_user/tasks/main.yml
View file

@ -261,6 +261,10 @@
# Tests for the priv parameter with dict value (https://github.com/ansible/ansible/issues/57533) # Tests for the priv parameter with dict value (https://github.com/ansible/ansible/issues/57533)
- include: test_priv_dict.yml - include: test_priv_dict.yml
# Test that append_privs will not attempt to make a change where current privileges are a superset of new privileges
# (https://github.com/ansible-collections/community.mysql/issues/69)
- include: test_priv_append_no_change.yml
# Tests for the TLS requires dictionary # Tests for the TLS requires dictionary
- include: tls_requirements.yml - include: tls_requirements.yml

79
tests/integration/targets/test_mysql_user/tasks/test_priv_append_no_change.yml Normal file
View file

@ -0,0 +1,79 @@
# Test code to ensure that appending privileges will not result in unnecessary changes when the current privileges
# are a superset of the new privileges that have been defined.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_port: '{{ mysql_primary_port }}'
block:
- name: Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- name: Create user with privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT,INSERT/data2.*:SELECT,DELETE'
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
register: result
- name: Assert user given privileges
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
- name: Append privileges that are a subset of the current privileges, which should be a no-op
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT/data2.*:SELECT'
append_privs: yes
state: present
register: result
- name: Assert that there wasn't a change and that the permissions are still the same
assert:
that:
- "result.changed == false"
- name: Run command to show privileges for user once more (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
register: result
- name: Assert user given privileges once more
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
##########
# Clean up
- name: Drop test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
state: absent