a-c-m
/
community.general
mirror of https://github.com/ansible-collections/community.general.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed mysql_user idempotency for long privilege lists. (Fixes ansible/#68044) (#58)

pull/88/head
Florian Apolloner 2020-04-01 17:31:53 +02:00 committed by GitHub
parent d921968504
commit 8d203225d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/mysql_user_idempotency.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "mysql_user - Fix idempotence when long grant lists are used (https://github.com/ansible/ansible/issues/68044)"

6
plugins/modules/database/mysql/mysql_user.py
View File

@ -561,14 +561,14 @@ def privileges_get(cursor, user, host):
res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0]) res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0])
if res is None: if res is None:
raise InvalidPrivsError('unable to parse the MySQL grant string: %s' % grant[0]) raise InvalidPrivsError('unable to parse the MySQL grant string: %s' % grant[0])
privileges = res.group(1).split(", ") privileges = res.group(1).split(",")
privileges = [pick(x) for x in privileges] privileges = [pick(x.strip()) for x in privileges]
if "WITH GRANT OPTION" in res.group(7): if "WITH GRANT OPTION" in res.group(7):
privileges.append('GRANT') privileges.append('GRANT')
if "REQUIRE SSL" in res.group(7): if "REQUIRE SSL" in res.group(7):
privileges.append('REQUIRESSL') privileges.append('REQUIRESSL')
db = res.group(2) db = res.group(2)
output[db] = privileges output.setdefault(db, []).extend(privileges)
return output return output

39
tests/integration/targets/mysql_user/tasks/test_privs.yml
View File

@ -28,7 +28,7 @@
- include: assert_user.yml user_name={{user_name_2}} priv='SELECT' - include: assert_user.yml user_name={{user_name_2}} priv='SELECT'
when: current_append_privs == "yes" when: current_append_privs == "yes"
- name: create user with current privileges (expect changed=true) - name: create user with current privileges (expect changed=true)
mysql_user: mysql_user:
name: '{{ user_name_2 }}' name: '{{ user_name_2 }}'
@ -39,18 +39,18 @@
login_unix_socket: '{{ mysql_socket }}' login_unix_socket: '{{ mysql_socket }}'
register: result register: result
- name: assert output message for current privileges - name: assert output message for current privileges
assert: { that: "result.changed == true" } assert: { that: "result.changed == true" }
- name: run command to show privileges for user (expect privileges in stdout) - name: run command to show privileges for user (expect privileges in stdout)
command: mysql "-e SHOW GRANTS FOR '{{user_name_2}}'@'localhost';" command: mysql "-e SHOW GRANTS FOR '{{user_name_2}}'@'localhost';"
register: result register: result
- name: assert user has correct privileges - name: assert user has correct privileges
assert: { that: "'GRANT {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout" } assert: { that: "'GRANT {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout" }
when: current_append_privs == "no" when: current_append_privs == "no"
- name: assert user has correct privileges - name: assert user has correct privileges
assert: { that: "'GRANT SELECT, {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout" } assert: { that: "'GRANT SELECT, {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout" }
when: current_append_privs == "yes" when: current_append_privs == "yes"
@ -60,7 +60,7 @@
state: present state: present
login_user: '{{ user_name_2 }}' login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}' login_password: '{{ user_password_2 }}'
ignore_errors: true ignore_errors: true
- name: run command to test that database was not created - name: run command to test that database was not created
command: mysql "-e show databases like '{{ db_name }}';" command: mysql "-e show databases like '{{ db_name }}';"
@ -95,7 +95,7 @@
assert: { that: "result.changed == false" } assert: { that: "result.changed == false" }
# ============================================================ # ============================================================
- name: update user with all privileges - name: update user with all privileges
mysql_user: mysql_user:
name: '{{ user_name_2 }}' name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}' password: '{{ user_password_2 }}'
@ -113,7 +113,7 @@
login_password: '{{ user_password_2 }}' login_password: '{{ user_password_2 }}'
- name: run command to test database was created using user new privileges - name: run command to test database was created using user new privileges
command: mysql "-e SHOW CREATE DATABASE {{ db_name }};" command: mysql "-e SHOW CREATE DATABASE {{ db_name }};"
- name: drop database using user - name: drop database using user
mysql_db: mysql_db:
@ -122,6 +122,31 @@
login_user: '{{ user_name_2 }}' login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}' login_password: '{{ user_password_2 }}'
# ============================================================
- name: update user with a long privileges list (mysql has a special multiline grant output)
mysql_user:
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
login_unix_socket: '{{ mysql_socket }}'
register: result
- name: Assert that priv changed
assert: { that: "result.changed == true" }
- name: Test idempotency (expect ok)
mysql_user:
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
login_unix_socket: '{{ mysql_socket }}'
register: result
- name: Assert that priv did not change
assert: { that: "result.changed == false" }
- name: remove username - name: remove username
mysql_user: mysql_user:
name: '{{ user_name_2 }}' name: '{{ user_name_2 }}'