ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-04-06 10:40:36 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

cut option maria_role as it as nothing to do with roles

Browse source 
This was introduced in #189. To my knowledge, there is no difference
between MySQL and MariaDB regarding roles or when you call a user by
its name alone. Both works if the host it '%'. Same for roles.
This commit is contained in:
Laurent Indermuehle 2023-10-11 14:00:20 +02:00
parent 34505c9b4f
commit 7f6d5f5622
No known key found for this signature in database
GPG key ID: 93FA944C9F34DD09
3 changed files with 26 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
plugins/module_utils/user.py
View file

@ -209,7 +209,7 @@ def is_hash(password):
def user_mod(cursor, user, host, host_all, password, encrypted, def user_mod(cursor, user, host, host_all, password, encrypted,
plugin, plugin_hash_string, plugin_auth_string, new_priv, plugin, plugin_hash_string, plugin_auth_string, new_priv,
append_privs, subtract_privs, tls_requires, module, role=False, maria_role=False): append_privs, subtract_privs, tls_requires, module, role=False):
changed = False changed = False
msg = "User unchanged" msg = "User unchanged"
grant_option = False grant_option = False
@ -331,7 +331,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
# Handle privileges # Handle privileges
if new_priv is not None: if new_priv is not None:
curr_priv = privileges_get(module, cursor, user, host, maria_role, summarize_all=False) curr_priv = privileges_get(module, cursor, user, host, summarize_all=False)
# If the user has privileges on a db.table that doesn't appear at all in # If the user has privileges on a db.table that doesn't appear at all in
# the new specification, then revoke all privileges on it. # the new specification, then revoke all privileges on it.
@ -345,7 +345,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
msg = "Privileges updated" msg = "Privileges updated"
if module.check_mode: if module.check_mode:
return {'changed': True, 'msg': msg, 'password_changed': password_changed} return {'changed': True, 'msg': msg, 'password_changed': password_changed}
privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_role) privileges_revoke(cursor, user, host, db_table, priv, grant_option)
changed = True changed = True
# If the user doesn't currently have any privileges on a db.table, then # If the user doesn't currently have any privileges on a db.table, then
@ -356,7 +356,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
msg = "New privileges granted" msg = "New privileges granted"
if module.check_mode: if module.check_mode:
return {'changed': True, 'msg': msg, 'password_changed': password_changed} return {'changed': True, 'msg': msg, 'password_changed': password_changed}
privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_role) privileges_grant(cursor, user, host, db_table, priv, tls_requires)
changed = True changed = True
# If the db.table specification exists in both the user's current privileges # If the db.table specification exists in both the user's current privileges
@ -398,12 +398,12 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
if module.check_mode: if module.check_mode:
return {'changed': True, 'msg': msg, 'password_changed': password_changed} return {'changed': True, 'msg': msg, 'password_changed': password_changed}
if len(revoke_privs) > 0: if len(revoke_privs) > 0:
privileges_revoke(cursor, user, host, db_table, revoke_privs, grant_option, maria_role) privileges_revoke(cursor, user, host, db_table, revoke_privs, grant_option)
if len(grant_privs) > 0: if len(grant_privs) > 0:
privileges_grant(cursor, user, host, db_table, grant_privs, tls_requires, maria_role) privileges_grant(cursor, user, host, db_table, grant_privs, tls_requires)
# after privilege manipulation, compare privileges from before and now # after privilege manipulation, compare privileges from before and now
after_priv = privileges_get(module, cursor, user, host, maria_role, summarize_all=False) after_priv = privileges_get(module, cursor, user, host, summarize_all=False)
changed = changed or (curr_priv != after_priv) changed = changed or (curr_priv != after_priv)
if role: if role:
@ -462,7 +462,7 @@ def user_get_hostnames(cursor, user):
return hostnames return hostnames
def privileges_get(module, cursor, user, host, maria_role=False, summarize_all=False): def privileges_get(module, cursor, user, host, summarize_all=False):
""" MySQL doesn't have a better method of getting privileges aside from the """ MySQL doesn't have a better method of getting privileges aside from the
SHOW GRANTS query syntax, which requires us to then parse the returned string. SHOW GRANTS query syntax, which requires us to then parse the returned string.
Here's an example of the string that is returned from MySQL: Here's an example of the string that is returned from MySQL:
@ -473,10 +473,7 @@ def privileges_get(module, cursor, user, host, maria_role=False, summarize_all=F
The dictionary format is the same as that returned by privileges_unpack() below. The dictionary format is the same as that returned by privileges_unpack() below.
""" """
output = {} output = {}
if not maria_role: query = "SHOW GRANTS FOR '%s'@'%s'" % (user, host)
query = "SHOW GRANTS FOR '%s'@'%s'" % (user, host)
else:
query = "SHOW GRANTS FOR '%s'" % user
cursor.execute(query) cursor.execute(query)
grants = cursor.fetchall() grants = cursor.fetchall()
@ -516,10 +513,10 @@ def privileges_get(module, cursor, user, host, maria_role=False, summarize_all=F
if isinstance(grant, dict): if isinstance(grant, dict):
grant = list(grant.values()) grant = list(grant.values())
if not maria_role: if get_server_type(cursor) == 'mariadb':
res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0]) res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0])
else: else:
res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3""", grant[0]) res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3 ?(.*)""", grant[0])
if res is None: if res is None:
# If a user has roles assigned, we'll have one of priv tuples looking like # If a user has roles assigned, we'll have one of priv tuples looking like
@ -528,7 +525,7 @@ def privileges_get(module, cursor, user, host, maria_role=False, summarize_all=F
# As we use the mysql_role module to manipulate roles # As we use the mysql_role module to manipulate roles
# we just ignore such privs below: # we just ignore such privs below:
res = re.match("""GRANT (.+) TO (['`"]).*""", grant[0]) res = re.match("""GRANT (.+) TO (['`"]).*""", grant[0])
if not maria_role and res: if res:
continue continue
raise InvalidPrivsError('unable to parse the MySQL grant string: %s' % grant[0]) raise InvalidPrivsError('unable to parse the MySQL grant string: %s' % grant[0])
@ -548,9 +545,12 @@ def privileges_get(module, cursor, user, host, maria_role=False, summarize_all=F
if summarize_all and sorted(privileges) in sorted(mysql8_all_privileges.values()): if summarize_all and sorted(privileges) in sorted(mysql8_all_privileges.values()):
privileges = ['ALL'] privileges = ['ALL']
if not maria_role: if get_server_type(cursor) == 'mariadb':
if "WITH GRANT OPTION" in res.group(7): if "WITH GRANT OPTION" in res.group(7):
privileges.append('GRANT') privileges.append('GRANT')
else:
if "WITH GRANT OPTION" in res.group(4):
privileges.append('GRANT')
output.setdefault(db, []).extend(privileges) output.setdefault(db, []).extend(privileges)
@ -729,48 +729,33 @@ def privileges_unpack(priv, mode, ensure_usage=True):
return output return output
def privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_role=False): def privileges_revoke(cursor, user, host, db_table, priv, grant_option):
# Escape '%' since mysql db.execute() uses a format string # Escape '%' since mysql db.execute() uses a format string
db_table = db_table.replace('%', '%%') db_table = db_table.replace('%', '%%')
if grant_option: if grant_option:
query = ["REVOKE GRANT OPTION ON %s" % db_table] query = ["REVOKE GRANT OPTION ON %s" % db_table]
if not maria_role: query.append("FROM %s@%s")
query.append("FROM %s@%s")
else:
query.append("FROM %s")
query = ' '.join(query) query = ' '.join(query)
cursor.execute(query, (user, host)) cursor.execute(query, (user, host))
priv_string = ",".join([p for p in priv if p not in ('GRANT', )]) priv_string = ",".join([p for p in priv if p not in ('GRANT', )])
if priv_string != "": if priv_string != "":
query = ["REVOKE %s ON %s" % (priv_string, db_table)] query = ["REVOKE %s ON %s" % (priv_string, db_table)]
query.append("FROM %s@%s")
if not maria_role:
query.append("FROM %s@%s")
params = (user, host)
else:
query.append("FROM %s")
params = (user,)
query = ' '.join(query) query = ' '.join(query)
cursor.execute(query, params) cursor.execute(query, (user, host))
cursor.execute("FLUSH PRIVILEGES") cursor.execute("FLUSH PRIVILEGES")
def privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_role=False): def privileges_grant(cursor, user, host, db_table, priv, tls_requires):
# Escape '%' since mysql db.execute uses a format string and the # Escape '%' since mysql db.execute uses a format string and the
# specification of db and table often use a % (SQL wildcard) # specification of db and table often use a % (SQL wildcard)
db_table = db_table.replace('%', '%%') db_table = db_table.replace('%', '%%')
priv_string = ",".join([p for p in priv if p not in ('GRANT', )]) priv_string = ",".join([p for p in priv if p not in ('GRANT', )])
query = ["GRANT %s ON %s" % (priv_string, db_table)] query = ["GRANT %s ON %s" % (priv_string, db_table)]
if not maria_role: query.append("TO %s@%s")
query.append("TO %s@%s") params = (user, host)
params = (user, host)
else:
query.append("TO %s")
params = (user)
if tls_requires and impl.use_old_user_mgmt(cursor): if tls_requires and impl.use_old_user_mgmt(cursor):
query, params = mogrify_requires(" ".join(query), params, tls_requires) query, params = mogrify_requires(" ".join(query), params, tls_requires)

2
plugins/modules/mysql_info.py
View file

@ -566,7 +566,7 @@ class MySQL_Info(object):
user = line['User'] user = line['User']
host = line['Host'] host = line['Host']
user_priv = privileges_get(self.module, self.cursor, user, host, maria_role=False, summarize_all=True) user_priv = privileges_get(self.module, self.cursor, user, host, summarize_all=True)
if not user_priv: if not user_priv:
self.module.warn("No privileges found for %s on host %s" % (user, host)) self.module.warn("No privileges found for %s on host %s" % (user, host))

5
plugins/modules/mysql_role.py
View file

@ -776,8 +776,7 @@ class Role():
if privs: if privs:
for db_table, priv in iteritems(privs): for db_table, priv in iteritems(privs):
privileges_grant(self.cursor, self.name, self.host, privileges_grant(self.cursor, self.name, self.host,
db_table, priv, tls_requires=None, db_table, priv, tls_requires=None)
maria_role=self.is_mariadb)
return True return True
@ -919,7 +918,7 @@ class Role():
result = user_mod(self.cursor, self.name, self.host, result = user_mod(self.cursor, self.name, self.host,
None, None, None, None, None, None, None, None, None, None, None, None,
privs, append_privs, subtract_privs, None, privs, append_privs, subtract_privs, None,
self.module, role=True, maria_role=self.is_mariadb) self.module, role=True)
changed = result['changed'] changed = result['changed']
if admin: if admin: