login_password should not be logged, so mark it as 'no_log'
the others arguments are path to file, and so should be type='path',
which permit to remove the line handling '~' and shell variables.
Fixes require ssl in combination with grant option
Refactoring: code cleanup to make it easier to understand
Code rewritten inspired by @willthames
Added WITH GRANT OPTION as exception; when only REQUIRESSL and/or GRANT are specified we have to add USAGE
added mysql 5.7 user password modification support with backwards compatibility
resolved mysql server version check and differences in user authentication management
explicitly state support for mysql_native_password type and no others. fixed some failing logic and updated samples
updated comment to actually match logic.
simplified conditionals and a little refactor
This patch properly fixes bug 1226 without introducing a breaking
change to idempotency which was introduced in PR #1358
We can properly assign permissions to databases with a '.' in the name
of the database as well as assign priviliges to all databases as
specified with '*'
While this change doesn't break the creation, it does break
idempotency. This change will convert '*.*' to '`*`.*' which is
functionally the same, however when the user_mod() function looks up
the current privileges with privileges_get() it will read '*.*'
Since '*.*' != '`*`.*' it will go through the process of updating the
privleges always resulting in a 'changed' result.
This reverts commit db9ab9b2629f00350a743a4eca72fb5ee8dc8c77.
Docs imply the mysql_variables is used to operate a single variable therefore
- fail before making any db connections if variable is not set
- validate chars for mysql variable name with re.match(^[a-z0-9_]+)
- use "SHOW VARIABLE WHERE Variable_name" instead of LIKE search
- getvariable() returns only the value or None if variable is not found
- the module returns only the found variable value instead of tuple for easier operation eg. as registere variable in tasks
- Modified data type for port definition from string to integer
- Modified login_host default value for compatibilize with port definition according with MySQL Documentation (https://dev.mysql.com/doc/refman/5.0/en/connecting.html)
ALL TABLES is considered to include views, so we must check for reltypes
'r' and 'v', not just 'r'. This bug was introduced due to using a
custom, backwards-compatible version of "ALL TABLES IN SCHEMA".
* If a db user belonged to a role which had a privilege, the user would
not have the privilege added as the role gave the appearance that the
user already had it. Fixed to always check the privileges specific to
the user.
* Make fewer db queries to determine if privileges need to be changed
and change them (was four for each privilege. Now two for each object
that has a set of privileges changed).
Use `has_table_privileges` and `has_database_privileges`
to test whether a user already has a privilege before
granting it, or whether a user doesn't have a privilege
before revoking it.
This prevents errors when the login_user does not have 'ALL'
permissions, and the 'priv' value contains fewer permissions than are
held by an existing user. This is particularly an issue when using an
Amazon Web Services RDS instance, as there is no (accessible) user with
'ALL' permissions on *.*.
Remove `USAGE` from the `VALID_PRIVS` dict for both database and
table because it is not a valid privilege for either (and
breaks the implementation of `has_table_privilege` and
`has_database_privilege`
See http://www.postgresql.org/docs/9.0/static/sql-grant.html
For read-only databases, users should not change when no changes
are required.
Don't issue ALTER ROLE when role attribute flags, users password
or expiry time is not changing.
In certain cases (hashed passwords in the DB, but the password
argument is not hashed) passlib.hash is required to avoid
running ALTER ROLE.
The default value set by the module was a value of None for the
config_file parameter, which propogates into the connect method
call overriding the stated default in the method.
Instead, the default should be set with-in the parameter
specification so the file check is not requested to check None.
Some places ([AWS RDS](https://forums.aws.amazon.com/thread.jspa?threadID=151248)) don't have, or don't allow, access to the `pg_authid` table. The only reason that is necessary is to check for a password change.
This flag is a workaround so passwords can only be set at creation time. It isn't as elegant as changing the password down the line, but it fixes the longstanding issue #297 that prevented this from being useful on AWS RDS.
Ports are integer values but the old code was assuming they were
strings. When login_port is put into playbook complex_args as an
integer the code would fail. This update should make the argument
validating make sure we have an integer and then we can send that value
directly to the relevant APIs.
Fixes#818
Michael Scherer
Tom Paine
Matt Clay
Kenny Gryp
Tobias Wolf
Matt Martz
Toshio Kuratomi
Lee H
Mark van Driel
Jonathan Mainguy
KIKUCHI Koichiro
Josh Rendek
Lee Hardy
Derek Smith
trevoro
Mark Theunissen
Jonathan Mainguy
wtanaka.com
Greg DeKoenigsberg
Brian Coca
Sam Yaple
Guilherme Carlos
Will Thames
Jesse Sandberg
sysadmin75
acaveroc
ToBeReplaced
Bryan Fleming
Sergei Antipov
Louis-Michel Couture
Dennis Rowe
Johann Schmitz
Robin Miller
fdupoux
Julia Kreger
Sven Schliesing
tedder
Solomon Gifford
David Hummel
Johannes Steger
Bruce Pennypacker
Michael J. Schultz
kustodian
Petros Moisiadis
Andrew Shults
Dan
Devin Christensen
Michael DeHaan
Michael DeHaan