mirror of
https://github.com/ansible-collections/community.mysql.git
synced 2025-04-19 17:01:26 -07:00
mysql_user, mysql_role: add argument subtract_privs to revoke privileges explicitly (#333)
* add option subtract_privs to mysql_role and mysql_user see https://github.com/ansible-collections/community.mysql/issues/331 * add integration tests for subtract_privs for mysql_role and mysql_user * add changelog fragment for PR #333 * mysql_role, mysql_user: when subtract_privileges, don't grant unwanted privileges and don't revoke USAGE implicitly * fix integration tests * mysql_role, mysql_user: invalid privileges are ignored when subtract_privs is true -> document that and fix integration tests * fix mysql_role integration tests * fix mysql_role, mysql_user integration tests * formatting make the PEP8 check happy * mysql_user and mysql_role: fix granting privileges when only the GRANT OPTION needs to be added * mysql_user and mysql_role: log some updated privileges; explain integration test blind spot * mysql_user and mysql_role: don't grant too much privileges If only the grant option needs to be granted, at least one privilege needs to be granted to get valid syntax. USAGE is better for that than the existing privileges, because unwanted privileges would be re-added after revokation. * mysql_user and mysql_role: fix type error * Update changelogs/fragments/333-mysql_user-mysql_role-add-subtract_privileges-argument.yml Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> * Update plugins/modules/mysql_role.py Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> * Update plugins/modules/mysql_user.py Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> Co-authored-by: Felix Hamme <felix.hamme@ionos.com> Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
This commit is contained in:
betanummeric
GitHub
parent
1dcc5ec086
commit
ba4fea67b1
10 changed files with 459 additions and 42 deletions
|
|
@ -169,7 +169,7 @@ def is_hash(password):
|
|||
|
||||
def user_mod(cursor, user, host, host_all, password, encrypted,
|
||||
plugin, plugin_hash_string, plugin_auth_string, new_priv,
|
||||
append_privs, tls_requires, module, role=False, maria_role=False):
|
||||
append_privs, subtract_privs, tls_requires, module, role=False, maria_role=False):
|
||||
changed = False
|
||||
msg = "User unchanged"
|
||||
grant_option = False
|
||||
|
|
@ -288,47 +288,61 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
|
|||
|
||||
# If the user has privileges on a db.table that doesn't appear at all in
|
||||
# the new specification, then revoke all privileges on it.
|
||||
for db_table, priv in iteritems(curr_priv):
|
||||
# If the user has the GRANT OPTION on a db.table, revoke it first.
|
||||
if "GRANT" in priv:
|
||||
grant_option = True
|
||||
if db_table not in new_priv:
|
||||
if user != "root" and "PROXY" not in priv and not append_privs:
|
||||
msg = "Privileges updated"
|
||||
if module.check_mode:
|
||||
return (True, msg)
|
||||
privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_role)
|
||||
changed = True
|
||||
if not append_privs and not subtract_privs:
|
||||
for db_table, priv in iteritems(curr_priv):
|
||||
# If the user has the GRANT OPTION on a db.table, revoke it first.
|
||||
if "GRANT" in priv:
|
||||
grant_option = True
|
||||
if db_table not in new_priv:
|
||||
if user != "root" and "PROXY" not in priv:
|
||||
msg = "Privileges updated"
|
||||
if module.check_mode:
|
||||
return (True, msg)
|
||||
privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_role)
|
||||
changed = True
|
||||
|
||||
# If the user doesn't currently have any privileges on a db.table, then
|
||||
# we can perform a straight grant operation.
|
||||
for db_table, priv in iteritems(new_priv):
|
||||
if db_table not in curr_priv:
|
||||
msg = "New privileges granted"
|
||||
if module.check_mode:
|
||||
return (True, msg)
|
||||
privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_role)
|
||||
changed = True
|
||||
if not subtract_privs:
|
||||
for db_table, priv in iteritems(new_priv):
|
||||
if db_table not in curr_priv:
|
||||
msg = "New privileges granted"
|
||||
if module.check_mode:
|
||||
return (True, msg)
|
||||
privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_role)
|
||||
changed = True
|
||||
|
||||
# If the db.table specification exists in both the user's current privileges
|
||||
# and in the new privileges, then we need to see if there's a difference.
|
||||
db_table_intersect = set(new_priv.keys()) & set(curr_priv.keys())
|
||||
for db_table in db_table_intersect:
|
||||
|
||||
# If appending privileges, only the set difference between new privileges and current privileges matter.
|
||||
# The symmetric difference isn't relevant for append because existing privileges will not be revoked.
|
||||
grant_privs = []
|
||||
revoke_privs = []
|
||||
if append_privs:
|
||||
priv_diff = set(new_priv[db_table]) - set(curr_priv[db_table])
|
||||
# When appending privileges, only missing privileges need to be granted. Nothing is revoked.
|
||||
grant_privs = list(set(new_priv[db_table]) - set(curr_priv[db_table]))
|
||||
elif subtract_privs:
|
||||
# When subtracting privileges, revoke only the intersection of requested and current privileges.
|
||||
# No privileges are granted.
|
||||
revoke_privs = list(set(new_priv[db_table]) & set(curr_priv[db_table]))
|
||||
else:
|
||||
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
||||
# When replacing (neither append_privs nor subtract_privs), grant all missing privileges
|
||||
# and revoke existing privileges that were not requested.
|
||||
grant_privs = list(set(new_priv[db_table]) - set(curr_priv[db_table]))
|
||||
revoke_privs = list(set(curr_priv[db_table]) - set(new_priv[db_table]))
|
||||
if grant_privs == ['GRANT']:
|
||||
# USAGE grants no privileges, it is only needed because 'WITH GRANT OPTION' cannot stand alone
|
||||
grant_privs.append('USAGE')
|
||||
|
||||
if len(priv_diff) > 0:
|
||||
msg = "Privileges updated"
|
||||
if len(grant_privs) + len(revoke_privs) > 0:
|
||||
msg = "Privileges updated: granted %s, revoked %s" % (grant_privs, revoke_privs)
|
||||
if module.check_mode:
|
||||
return (True, msg)
|
||||
if not append_privs:
|
||||
privileges_revoke(cursor, user, host, db_table, curr_priv[db_table], grant_option, maria_role)
|
||||
privileges_grant(cursor, user, host, db_table, new_priv[db_table], tls_requires, maria_role)
|
||||
if len(revoke_privs) > 0:
|
||||
privileges_revoke(cursor, user, host, db_table, revoke_privs, grant_option, maria_role)
|
||||
if len(grant_privs) > 0:
|
||||
privileges_grant(cursor, user, host, db_table, grant_privs, tls_requires, maria_role)
|
||||
changed = True
|
||||
|
||||
if role:
|
||||
|
|
@ -549,7 +563,7 @@ def sort_column_order(statement):
|
|||
return '%s(%s)' % (priv_name, ', '.join(columns))
|
||||
|
||||
|
||||
def privileges_unpack(priv, mode):
|
||||
def privileges_unpack(priv, mode, ensure_usage=True):
|
||||
""" Take a privileges string, typically passed as a parameter, and unserialize
|
||||
it into a dictionary, the same format as privileges_get() above. We have this
|
||||
custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
|
||||
|
|
@ -595,7 +609,7 @@ def privileges_unpack(priv, mode):
|
|||
# Handle cases when there's privs like GRANT SELECT (colA, ...) in privs.
|
||||
output[pieces[0]] = normalize_col_grants(output[pieces[0]])
|
||||
|
||||
if '*.*' not in output:
|
||||
if ensure_usage and '*.*' not in output:
|
||||
output['*.*'] = ['USAGE']
|
||||
|
||||
return output
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue