mirror of
				https://github.com/ansible-collections/community.mysql.git
				synced 2025-10-26 05:50:39 -07:00 
			
		
		
		
	mysql_role, mysql_user: when subtract_privileges, don't grant unwanted privileges and don't revoke USAGE implicitly
This commit is contained in:
		
					parent
					
						
							
								47b2ba5b88
							
						
					
				
			
			
				commit
				
					
						52eb368e30
					
				
			
		
					 3 changed files with 8 additions and 4 deletions
				
			
		|  | @ -560,7 +560,7 @@ def sort_column_order(statement): | |||
|     return '%s(%s)' % (priv_name, ', '.join(columns)) | ||||
| 
 | ||||
| 
 | ||||
| def privileges_unpack(priv, mode): | ||||
| def privileges_unpack(priv, mode, ensure_usage=True): | ||||
|     """ Take a privileges string, typically passed as a parameter, and unserialize | ||||
|     it into a dictionary, the same format as privileges_get() above. We have this | ||||
|     custom format to avoid using YAML/JSON strings inside YAML playbooks. Example | ||||
|  | @ -606,7 +606,7 @@ def privileges_unpack(priv, mode): | |||
|         # Handle cases when there's privs like GRANT SELECT (colA, ...) in privs. | ||||
|         output[pieces[0]] = normalize_col_grants(output[pieces[0]]) | ||||
| 
 | ||||
|     if '*.*' not in output: | ||||
|     if ensure_usage and '*.*' not in output: | ||||
|         output['*.*'] = ['USAGE'] | ||||
| 
 | ||||
|     return output | ||||
|  |  | |||
|  | @ -1034,7 +1034,7 @@ def main(): | |||
|             module.fail_json(msg=to_native(e)) | ||||
| 
 | ||||
|         try: | ||||
|             priv = privileges_unpack(priv, mode) | ||||
|             priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs) | ||||
|         except Exception as e: | ||||
|             module.fail_json(msg='Invalid privileges string: %s' % to_native(e)) | ||||
| 
 | ||||
|  | @ -1063,6 +1063,8 @@ def main(): | |||
|     try: | ||||
|         if state == 'present': | ||||
|             if not role.exists: | ||||
|                 if subtract_privs: | ||||
|                     priv = None  # avoid granting unwanted privileges | ||||
|                 changed = role.add(members, priv, module.check_mode, admin, | ||||
|                                    set_default_role_all) | ||||
| 
 | ||||
|  |  | |||
|  | @ -443,7 +443,7 @@ def main(): | |||
|             mode = get_mode(cursor) | ||||
|         except Exception as e: | ||||
|             module.fail_json(msg=to_native(e)) | ||||
|         priv = privileges_unpack(priv, mode) | ||||
|         priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs) | ||||
| 
 | ||||
|     if state == "present": | ||||
|         if user_exists(cursor, user, host, host_all): | ||||
|  | @ -463,6 +463,8 @@ def main(): | |||
|             if host_all: | ||||
|                 module.fail_json(msg="host_all parameter cannot be used when adding a user") | ||||
|             try: | ||||
|                 if subtract_privs: | ||||
|                     priv = None  # avoid granting unwanted privileges | ||||
|                 changed = user_add(cursor, user, host, host_all, password, encrypted, | ||||
|                                    plugin, plugin_hash_string, plugin_auth_string, | ||||
|                                    priv, tls_requires, module.check_mode) | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue