From 6eedc4d0759a63a3bdc79ec0451e0c48ac97af2b Mon Sep 17 00:00:00 2001 From: aperrin66 <33750187+aperrin66@users.noreply.github.com> Date: Tue, 9 Apr 2019 19:28:32 +0200 Subject: [PATCH] Add grants to influxdb_user (#46216) * add grants management for module influxdb_user * influxdb_user : add documentation for the "grants" argument --- .../database/influxdb/influxdb_user.py | 86 ++++++++++++++++--- 1 file changed, 75 insertions(+), 11 deletions(-) diff --git a/lib/ansible/modules/database/influxdb/influxdb_user.py b/lib/ansible/modules/database/influxdb/influxdb_user.py index 3ca201a5d4..d8f8f67601 100644 --- a/lib/ansible/modules/database/influxdb/influxdb_user.py +++ b/lib/ansible/modules/database/influxdb/influxdb_user.py @@ -43,6 +43,14 @@ options: - State of the user. choices: [ present, absent ] default: present + grants: + description: + - Privileges to grant to this user. Takes a list of dicts containing the + "database" and "privilege" keys. + - If this argument is not provided, the current grants will be left alone. + If an empty list is provided, all grants for the user will be removed. + default: None + version_added: 2.8 extends_documentation_fragment: influxdb ''' @@ -68,6 +76,18 @@ EXAMPLES = ''' login_username: "{{ influxdb_username }}" login_password: "{{ influxdb_password }}" +- name: Create a user on localhost with privileges + influxdb_user: + user_name: john + user_password: s3cr3t + login_username: "{{ influxdb_username }}" + login_password: "{{ influxdb_password }}" + grants: + - database: 'collectd' + privilege: 'WRITE' + - database: 'graphite' + privilege: 'READ' + - name: Destroy a user using custom login credentials influxdb_user: user_name: john @@ -82,6 +102,7 @@ RETURN = ''' import ansible.module_utils.urls from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_native import ansible.module_utils.influxdb as influx @@ -95,7 +116,7 @@ def find_user(module, client, user_name): user_result = user break except (ansible.module_utils.urls.ConnectionError, influx.exceptions.InfluxDBClientError) as e: - module.fail_json(msg=str(e)) + module.fail_json(msg=to_native(e)) return user_result @@ -107,7 +128,7 @@ def check_user_password(module, client, user_name, user_password): if e.code == 401: return False except ansible.module_utils.urls.ConnectionError as e: - module.fail_json(msg=str(e)) + module.fail_json(msg=to_native(e)) finally: # restore previous user client.switch_user(module.params['username'], module.params['password']) @@ -119,7 +140,7 @@ def set_user_password(module, client, user_name, user_password): try: client.set_user_password(user_name, user_password) except ansible.module_utils.urls.ConnectionError as e: - module.fail_json(msg=str(e)) + module.fail_json(msg=to_native(e)) def create_user(module, client, user_name, user_password, admin): @@ -127,9 +148,7 @@ def create_user(module, client, user_name, user_password, admin): try: client.create_user(user_name, user_password, admin) except ansible.module_utils.urls.ConnectionError as e: - module.fail_json(msg=str(e)) - - module.exit_json(changed=True) + module.fail_json(msg=to_native(e)) def drop_user(module, client, user_name): @@ -142,13 +161,51 @@ def drop_user(module, client, user_name): module.exit_json(changed=True) +def set_user_grants(module, client, user_name, grants): + changed = False + + try: + current_grants = client.get_list_privileges(user_name) + # Fix privileges wording + for i, v in enumerate(current_grants): + if v['privilege'] == 'ALL PRIVILEGES': + v['privilege'] = 'ALL' + current_grants[i] = v + elif v['privilege'] == 'NO PRIVILEGES': + del(current_grants[i]) + + # check if the current grants are included in the desired ones + for current_grant in current_grants: + if current_grant not in grants: + if not module.check_mode: + client.revoke_privilege(current_grant['privilege'], + current_grant['database'], + user_name) + changed = True + + # check if the desired grants are included in the current ones + for grant in grants: + if grant not in current_grants: + if not module.check_mode: + client.grant_privilege(grant['privilege'], + grant['database'], + user_name) + changed = True + + except influx.exceptions.InfluxDBClientError as e: + module.fail_json(msg=e.content) + + return changed + + def main(): argument_spec = influx.InfluxDb.influxdb_argument_spec() argument_spec.update( state=dict(default='present', type='str', choices=['present', 'absent']), user_name=dict(required=True, type='str'), user_password=dict(required=False, type='str', no_log=True), - admin=dict(default='False', type='bool') + admin=dict(default='False', type='bool'), + grants=dict(type='list') ) module = AnsibleModule( argument_spec=argument_spec, @@ -159,14 +216,15 @@ def main(): user_name = module.params['user_name'] user_password = module.params['user_password'] admin = module.params['admin'] + grants = module.params['grants'] influxdb = influx.InfluxDb(module) client = influxdb.connect_to_influxdb() user = find_user(module, client, user_name) + changed = False + if state == 'present': if user: - changed = False - if not check_user_password(module, client, user_name, user_password) and user_password is not None: set_user_password(module, client, user_name, user_password) changed = True @@ -179,12 +237,18 @@ def main(): client.revoke_admin_privileges(user_name) changed = True except influx.exceptions.InfluxDBClientError as e: - module.fail_json(msg=str(e)) + module.fail_json(msg=to_native(e)) - module.exit_json(changed=changed) else: user_password = user_password or '' create_user(module, client, user_name, user_password, admin) + changed = True + + if grants is not None: + if set_user_grants(module, client, user_name, grants): + changed = True + + module.exit_json(changed=changed) if state == 'absent': if user: