From bf79c20f6d3238b2a20ea2f98199420919e319ee Mon Sep 17 00:00:00 2001 From: Hubertus Krogmann Date: Fri, 9 Sep 2022 14:07:53 +0200 Subject: [PATCH] add an option to use a specific service with pam plugin --- plugins/module_utils/user.py | 12 ++++++++++-- plugins/modules/mysql_user.py | 22 +++++++++++++++------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index 7def8c7..cade272 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -133,7 +133,7 @@ def get_existing_authentication(cursor, user): def user_add(cursor, user, host, host_all, password, encrypted, - plugin, plugin_hash_string, plugin_auth_string, new_priv, + plugin, plugin_hash_string, plugin_auth_string, plugin_auth_service_string, new_priv, tls_requires, check_mode, reuse_existing_password): # we cannot create users without a proper hostname if host_all: @@ -169,8 +169,12 @@ def user_add(cursor, user, host, host_all, password, encrypted, query_with_args = "CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, encrypted_password) elif plugin and plugin_hash_string: query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string) + elif plugin and plugin_auth_string and plugin_auth_service_string: + query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s BY %s USING %s", (user, host, plugin, plugin_auth_string, plugin_auth_service_string) elif plugin and plugin_auth_string: query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string) + elif plugin and plugin_auth_service_string: + query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_service_string) elif plugin: query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin) else: @@ -196,7 +200,7 @@ def is_hash(password): def user_mod(cursor, user, host, host_all, password, encrypted, - plugin, plugin_hash_string, plugin_auth_string, new_priv, + plugin, plugin_hash_string, plugin_auth_string, plugin_auth_service_string, new_priv, append_privs, subtract_privs, tls_requires, module, role=False, maria_role=False): changed = False msg = "User unchanged" @@ -304,8 +308,12 @@ def user_mod(cursor, user, host, host_all, password, encrypted, if update: if plugin_hash_string: query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string) + elif plugin_auth_string and plugin_auth_service_string: + query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s USING %s", (user, host, plugin, plugin_auth_string, plugin_auth_service_string) elif plugin_auth_string: query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string) + elif plugin_auth_service_string: + query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_service_string) else: query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin) diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py index 849aa8d..a44bfad 100644 --- a/plugins/modules/mysql_user.py +++ b/plugins/modules/mysql_user.py @@ -23,7 +23,7 @@ options: password: description: - Set the user's password. Only for C(mysql_native_password) authentication. - For other authentication plugins see the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string). + For other authentication plugins see the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string), I(plugin_auth_service_string). type: str encrypted: description: @@ -116,12 +116,12 @@ options: default: no update_password: description: - - C(always) will update passwords if they differ. This affects I(password) and the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string). - - C(on_create) will only set the password or the combination of plugin, plugin_hash_string, plugin_auth_string for newly created users. + - C(always) will update passwords if they differ. This affects I(password) and the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string), I(plugin_auth_service_string). + - C(on_create) will only set the password or the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string), I(plugin_auth_service_string) for newly created users. - "C(on_new_username) works like C(on_create), but it tries to reuse an existing password: If one different user with the same username exists, or multiple different users with the same username and equal C(plugin) and C(authentication_string) attribute, the existing C(plugin) and C(authentication_string) are used for the - new user instead of the I(password), I(plugin), I(plugin_hash_string) or I(plugin_auth_string) argument." + new user instead of the I(password), I(plugin), I(plugin_hash_string) or I(plugin_auth_string), I(plugin_auth_service_string) argument." type: str choices: [ always, on_create, on_new_username ] default: always @@ -140,6 +140,12 @@ options: - User's plugin auth_string (``CREATE USER user IDENTIFIED WITH plugin BY plugin_auth_string``). type: str version_added: '0.1.0' + plugin_auth_service_string: + description: + - User's plugin service_string e.g. pam/auth_pam (``CREATE USER user IDENTIFIED WITH plugin USING plugin_auth_service_string``) + - User's plugin service_string for plugins using auth_string and service_string (``CREATE USER user IDENTIFIED WITH plugin BY plugin_auth_string USING plugin_auth_service_string``) + type: str + version_added: '3.5.0' resource_limits: description: - Limit the user for certain server resources. Provided since MySQL 5.6 / MariaDB 10.2. @@ -382,6 +388,7 @@ def main(): plugin=dict(default=None, type='str'), plugin_hash_string=dict(default=None, type='str'), plugin_auth_string=dict(default=None, type='str'), + plugin_auth_service_string=dict(default=None, type='str'), resource_limits=dict(type='dict'), force_context=dict(type='bool', default=False), ) @@ -417,6 +424,7 @@ def main(): plugin = module.params["plugin"] plugin_hash_string = module.params["plugin_hash_string"] plugin_auth_string = module.params["plugin_auth_string"] + plugin_auth_service_string = module.params["plugin_auth_service_string"] resource_limits = module.params["resource_limits"] if priv and not isinstance(priv, (str, dict)): module.fail_json(msg="priv parameter must be str or dict but %s was passed" % type(priv)) @@ -460,12 +468,12 @@ def main(): try: if update_password == "always": result = user_mod(cursor, user, host, host_all, password, encrypted, - plugin, plugin_hash_string, plugin_auth_string, + plugin, plugin_hash_string, plugin_auth_string, plugin_auth_service_string, priv, append_privs, subtract_privs, tls_requires, module) else: result = user_mod(cursor, user, host, host_all, None, encrypted, - None, None, None, + None, None, None, None, priv, append_privs, subtract_privs, tls_requires, module) changed = result['changed'] msg = result['msg'] @@ -481,7 +489,7 @@ def main(): priv = None # avoid granting unwanted privileges reuse_existing_password = update_password == 'on_new_username' result = user_add(cursor, user, host, host_all, password, encrypted, - plugin, plugin_hash_string, plugin_auth_string, + plugin, plugin_hash_string, plugin_auth_string, plugin_auth_service_string, priv, tls_requires, module.check_mode, reuse_existing_password) changed = result['changed'] password_changed = result['password_changed']