ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-04-09 20:20:32 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
community.mysql/tests/integration/targets/test_mysql_user/tasks/test_privs.yml

266 lines
9.1 KiB
YAML
Raw Blame History

---
# test code for privileges for mysql_user module
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: Privs | Create user with basic select privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:SELECT'
state: present
when: current_append_privs == "yes"
- include: utils/assert_user.yml user_name={{ user_name_2 }} user_host=% priv='SELECT'
when: current_append_privs == "yes"
- name: Privs | Create user with current privileges (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:{{ current_privilege }}'
append_privs: '{{ current_append_privs }}'
state: present
register: result
- name: Privs | Assert output message for current privileges
assert:
that:
- result is changed
- name: Privs | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{user_name_2}}'@'%'\""
register: result
- name: Privs | Assert user has correct privileges
assert:
that:
- "'GRANT {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
when: current_append_privs == "no"
- name: Privs | Assert user has correct privileges
assert:
that:
- "'GRANT SELECT, {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
when: current_append_privs == "yes"
- name: Privs | Create database using user current privileges
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: '{{ db_name }}'
state: present
ignore_errors: true
- name: Privs | Run command to test that database was not created
command: "{{ mysql_command }} -e \"show databases like '{{ db_name }}'\""
register: result
- name: Privs | Assert database was not created
assert:
that:
- db_name not in result.stdout
# ============================================================
- name: Privs | Add privs to a specific table (expect changed)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: 'jmainguy.jmainguy:ALL'
state: present
register: result
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Privs | Add privs to a specific table (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: 'jmainguy.jmainguy:ALL'
state: present
register: result
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
# ============================================================
- name: Privs | Grant ALL to user {{ user_name_2 }}
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:ALL'
state: present
# - include: utils/assert_user.yml user_name={{user_name_2}} user_host=% priv='ALL PRIVILEGES'
- name: Privs | Create database using user {{ user_name_2 }}
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: '{{ db_name }}'
state: present
- name: Privs | Run command to test database was created using user new privileges
command: "{{ mysql_command }} -e \"SHOW CREATE DATABASE {{ db_name }}\""
- name: Privs | Drop database using user {{ user_name_2 }}
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: '{{ db_name }}'
state: absent
# ============================================================
- name: Privs | Update user with a long privileges list (mysql has a special multiline grant output)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
register: result
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Privs | Test idempotency with a long privileges list (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
register: result
# FIXME: on mysql >=8 and mariadb >=10.5.2 there's always a change because
# the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
when:
# TODO remove this when stable-2 role append priv is fixed
- (db_engine == 'mysql' and db_version is version('5.7', '<=')
or db_engine == 'mariadb' and db_version is version('10.4', '<='))
- include: utils/remove_user.yml user_name="{{ user_name_2 }}"
# ============================================================
- name: Privs | Grant all privileges with grant option
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
priv: '*.*:ALL,GRANT'
state: present
register: result
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Privs | Collect user info by host
community.mysql.mysql_info:
<<: *mysql_params
filter: "users"
register: mysql_info_about_users
- name: Privs | Assert that 'GRANT' permission is present
assert:
that:
- mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'
# Disabled because on stable-2 this is always changed
# - name: Privs | Test idempotency (expect ok)
# mysql_user:
# <<: *mysql_params
# name: '{{ user_name_2 }}'
# password: '{{ user_password_2 }}'
# priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
# state: present
# register: result
# # FIXME: on mysql >=8 there's always a change (ALL PRIVILEGES -> specific privileges)
# - name: Privs | Assert that priv did not change
# assert:
# that:
# - result is not changed
- name: Privs | Collect user info by host
community.mysql.mysql_info:
<<: *mysql_params
filter: "users"
register: mysql_info_about_users
- name: Privs | Assert that 'GRANT' permission is present (by host)
assert:
that:
- mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'
# ============================================================
- name: Privs | Update user with invalid privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
priv: '*.*:INVALID'
state: present
register: result
ignore_errors: yes
- name: Privs | Assert that priv did not change
assert:
that:
- result is failed
- include: utils/remove_user.yml user_name="{{ user_name_2 }}"
Reference in a new issue View git blame Copy permalink