ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-08-29 01:11:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

mysql_role, mysql_user: when subtract_privileges, don't grant unwanted privileges and don't revoke USAGE implicitly

Browse source
This commit is contained in:
Felix Hamme 2022-04-13 18:14:15 +02:00
commit 52eb368e30
3 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
plugins/module_utils/user.py
View file

@ -560,7 +560,7 @@ def sort_column_order(statement):
return '%s(%s)' % (priv_name, ', '.join(columns)) return '%s(%s)' % (priv_name, ', '.join(columns))
def privileges_unpack(priv, mode): def privileges_unpack(priv, mode, ensure_usage=True):
""" Take a privileges string, typically passed as a parameter, and unserialize """ Take a privileges string, typically passed as a parameter, and unserialize
it into a dictionary, the same format as privileges_get() above. We have this it into a dictionary, the same format as privileges_get() above. We have this
custom format to avoid using YAML/JSON strings inside YAML playbooks. Example custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
@ -606,7 +606,7 @@ def privileges_unpack(priv, mode):
# Handle cases when there's privs like GRANT SELECT (colA, ...) in privs. # Handle cases when there's privs like GRANT SELECT (colA, ...) in privs.
output[pieces[0]] = normalize_col_grants(output[pieces[0]]) output[pieces[0]] = normalize_col_grants(output[pieces[0]])
if '*.*' not in output: if ensure_usage and '*.*' not in output:
output['*.*'] = ['USAGE'] output['*.*'] = ['USAGE']
return output return output

4
plugins/modules/mysql_role.py
View file

@ -1034,7 +1034,7 @@ def main():
module.fail_json(msg=to_native(e)) module.fail_json(msg=to_native(e))
try: try:
priv = privileges_unpack(priv, mode) priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
except Exception as e: except Exception as e:
module.fail_json(msg='Invalid privileges string: %s' % to_native(e)) module.fail_json(msg='Invalid privileges string: %s' % to_native(e))
@ -1063,6 +1063,8 @@ def main():
try: try:
if state == 'present': if state == 'present':
if not role.exists: if not role.exists:
if subtract_privs:
priv = None # avoid granting unwanted privileges
changed = role.add(members, priv, module.check_mode, admin, changed = role.add(members, priv, module.check_mode, admin,
set_default_role_all) set_default_role_all)

4
plugins/modules/mysql_user.py
View file

@ -443,7 +443,7 @@ def main():
mode = get_mode(cursor) mode = get_mode(cursor)
except Exception as e: except Exception as e:
module.fail_json(msg=to_native(e)) module.fail_json(msg=to_native(e))
priv = privileges_unpack(priv, mode) priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
if state == "present": if state == "present":
if user_exists(cursor, user, host, host_all): if user_exists(cursor, user, host, host_all):
@ -463,6 +463,8 @@ def main():
if host_all: if host_all:
module.fail_json(msg="host_all parameter cannot be used when adding a user") module.fail_json(msg="host_all parameter cannot be used when adding a user")
try: try:
if subtract_privs:
priv = None # avoid granting unwanted privileges
changed = user_add(cursor, user, host, host_all, password, encrypted, changed = user_add(cursor, user, host, host_all, password, encrypted,
plugin, plugin_hash_string, plugin_auth_string, plugin, plugin_hash_string, plugin_auth_string,
priv, tls_requires, module.check_mode) priv, tls_requires, module.check_mode)