2012-07-11 18:00:55 -05:00
#!/usr/bin/python
# (c) 2012, Mark Theunissen <mark.theunissen@gmail.com>
# Sponsored by Four Kitchens http://fourkitchens.com.
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
2012-09-29 16:15:41 +02:00
DOCUMENTATION = '''
- - -
module : mysql_user
short_description : Adds or removes a user from a MySQL database .
description :
- Adds or removes a user from a MySQL database .
2013-11-27 21:23:03 -05:00
version_added : " 0.6 "
2012-09-29 16:15:41 +02:00
options :
name :
description :
- name of the user ( role ) to add or remove
required : true
password :
description :
- set the user ' s password
required : false
default : null
host :
description :
- the ' host ' part of the MySQL username
required : false
default : localhost
login_user :
description :
- The username used to authenticate with
required : false
default : null
login_password :
description :
2012-09-30 12:21:35 +02:00
- The password used to authenticate with
2012-09-29 16:15:41 +02:00
required : false
default : null
login_host :
description :
- Host running the database
required : false
default : localhost
2013-09-05 16:25:34 +01:00
login_port :
description :
- Port of the MySQL server
required : false
default : 3306
2013-10-11 09:14:00 -04:00
version_added : ' 1.4 '
2013-03-15 11:40:54 -04:00
login_unix_socket :
description :
- The path to a Unix domain socket for local connections
required : false
default : null
2012-09-29 16:15:41 +02:00
priv :
description :
2012-09-30 12:21:35 +02:00
- " MySQL privileges string in the format: C(db.table:priv1,priv2) "
2012-09-29 16:15:41 +02:00
required : false
default : null
2013-10-03 13:00:17 +02:00
append_privs :
description :
- Append the privileges defined by priv to the existing ones for this
user instead of overwriting existing ones .
required : false
choices : [ " yes " , " no " ]
default : " no "
version_added : " 1.4 "
2012-09-29 16:15:41 +02:00
state :
description :
2013-07-29 23:48:49 +02:00
- Whether the user should exist . When C ( absent ) , removes
the user .
2012-09-29 16:15:41 +02:00
required : false
default : present
choices : [ " present " , " absent " ]
2013-07-01 11:56:04 +01:00
check_implicit_admin :
description :
- Check if mysql allows login as root / nopassword before trying supplied credentials .
required : false
2015-05-18 16:33:46 -04:00
choices : [ " yes " , " no " ]
default : " no "
2013-07-20 12:33:42 -04:00
version_added : " 1.3 "
2015-02-20 12:30:27 -05:00
update_password :
required : false
default : always
choices : [ ' always ' , ' on_create ' ]
2015-03-31 15:31:54 -04:00
version_added : " 2.0 "
2015-02-20 12:30:27 -05:00
description :
- C ( always ) will update passwords if they differ . C ( on_create ) will only set the password for newly created users .
2014-09-30 09:08:32 +02:00
config_file :
description :
2015-04-22 15:58:56 -04:00
- Specify a config file from which user and password are to be read
2014-09-30 09:08:32 +02:00
required : false
2015-04-22 15:58:56 -04:00
default : ' ~/.my.cnf '
version_added : " 2.0 "
2012-09-29 16:15:41 +02:00
notes :
2012-10-01 09:18:54 +02:00
- Requires the MySQLdb Python package on the remote host . For Ubuntu , this
is as easy as apt - get install python - mysqldb .
2015-07-22 17:55:35 -03:00
- Both C ( login_password ) and C ( login_user ) are required when you are
2012-10-01 09:18:54 +02:00
passing credentials . If none are present , the module will attempt to read
the credentials from C ( ~ / . my . cnf ) , and finally fall back to using the MySQL
default login of ' root ' with no password .
2013-03-01 17:17:00 -05:00
- " MySQL server installs with default login_user of ' root ' and no password. To secure this user
2013-02-28 10:25:09 -06:00
as part of an idempotent playbook , you must create at least two tasks : the first must change the root user ' s password,
without providing any login_user / login_password details . The second must drop a ~ / . my . cnf file containing
the new root credentials . Subsequent runs of the playbook will then succeed by reading the new credentials from
2013-03-01 17:17:00 -05:00
the file . "
2013-02-28 10:25:09 -06:00
2014-09-30 09:08:32 +02:00
requirements : [ " MySQLdb " ]
2015-06-15 15:53:30 -04:00
author : " Mark Theunissen (@marktheunissen) "
2012-09-29 16:15:41 +02:00
'''
2013-03-15 10:58:27 -04:00
EXAMPLES = """
2013-06-14 11:53:43 +02:00
# Create database user with name 'bob' and password '12345' with all database privileges
- mysql_user : name = bob password = 12345 priv = * . * : ALL state = present
2014-01-14 12:00:25 +00:00
# Creates database user 'bob' and password '12345' with all database privileges and 'WITH GRANT OPTION'
- mysql_user : name = bob password = 12345 priv = * . * : ALL , GRANT state = present
2015-05-04 12:54:03 +01:00
# Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
2015-02-25 06:49:05 -08:00
- mysql_user : name = bob append_privs = true priv = * . * : REQUIRESSL state = present
2015-01-08 16:26:22 +00:00
2013-06-14 11:53:43 +02:00
# Ensure no user named 'sally' exists, also passing in the auth credentials.
- mysql_user : login_user = root login_password = 123456 name = sally state = absent
2014-05-20 14:41:18 -04:00
# Specify grants composed of more than one word
- mysql_user : name = replication password = 12345 priv = * . * : " REPLICATION CLIENT " state = present
2014-07-22 11:24:09 -04:00
# Revoke all privileges for user 'bob' and password '12345'
- mysql_user : name = bob password = 12345 priv = * . * : USAGE state = present
2013-06-14 11:53:43 +02:00
# Example privileges string format
mydb . * : INSERT , UPDATE / anotherdb . * : SELECT / yetanotherdb . * : ALL
# Example using login_unix_socket to connect to server
- mysql_user : name = root password = abc123 login_unix_socket = / var / run / mysqld / mysqld . sock
2013-03-15 10:58:27 -04:00
# Example .my.cnf file for setting the root password
2013-06-14 11:53:43 +02:00
2013-03-15 10:58:27 -04:00
[ client ]
user = root
password = n < _665 { vS43y
"""
import getpass
2013-10-18 17:42:40 -04:00
import tempfile
2015-05-06 16:44:40 -05:00
import re
2012-07-11 18:00:55 -05:00
try :
2012-07-22 12:11:39 -05:00
import MySQLdb
2012-07-11 18:00:55 -05:00
except ImportError :
2012-07-22 12:11:39 -05:00
mysqldb_found = False
else :
mysqldb_found = True
2012-07-11 18:00:55 -05:00
2014-11-26 08:26:53 -08:00
VALID_PRIVS = frozenset ( ( ' CREATE ' , ' DROP ' , ' GRANT ' , ' GRANT OPTION ' ,
' LOCK TABLES ' , ' REFERENCES ' , ' EVENT ' , ' ALTER ' ,
' DELETE ' , ' INDEX ' , ' INSERT ' , ' SELECT ' , ' UPDATE ' ,
2014-11-25 01:46:09 -08:00
' CREATE TEMPORARY TABLES ' , ' TRIGGER ' , ' CREATE VIEW ' ,
' SHOW VIEW ' , ' ALTER ROUTINE ' , ' CREATE ROUTINE ' ,
2014-12-10 18:53:55 +02:00
' EXECUTE ' , ' FILE ' , ' CREATE TABLESPACE ' , ' CREATE USER ' ,
' PROCESS ' , ' PROXY ' , ' RELOAD ' , ' REPLICATION CLIENT ' ,
' REPLICATION SLAVE ' , ' SHOW DATABASES ' , ' SHUTDOWN ' ,
2015-01-08 16:26:22 +00:00
' SUPER ' , ' ALL ' , ' ALL PRIVILEGES ' , ' USAGE ' , ' REQUIRESSL ' ) )
2014-11-25 01:46:09 -08:00
class InvalidPrivsError ( Exception ) :
pass
2012-07-11 18:00:55 -05:00
# ===========================================
# MySQL module specific support methods.
#
2015-05-08 10:40:26 -07:00
def connect ( module , login_user = None , login_password = None , config_file = ' ' ) :
2014-09-30 09:08:32 +02:00
config = {
' host ' : module . params [ ' login_host ' ] ,
' db ' : ' mysql '
}
if module . params [ ' login_unix_socket ' ] :
config [ ' unix_socket ' ] = module . params [ ' login_unix_socket ' ]
else :
config [ ' port ' ] = module . params [ ' login_port ' ]
2015-04-22 20:32:39 +02:00
if os . path . exists ( config_file ) :
config [ ' read_default_file ' ] = config_file
2015-04-30 12:49:32 -07:00
# If login_user or login_password are given, they should override the
# config file
if login_user is not None :
2014-09-30 09:08:32 +02:00
config [ ' user ' ] = login_user
2015-04-30 12:49:32 -07:00
if login_password is not None :
2014-09-30 09:08:32 +02:00
config [ ' passwd ' ] = login_password
2015-04-30 12:49:32 -07:00
2014-09-30 09:08:32 +02:00
db_connection = MySQLdb . connect ( * * config )
return db_connection . cursor ( )
2012-07-22 12:11:39 -05:00
def user_exists ( cursor , user , host ) :
2012-07-11 18:00:55 -05:00
cursor . execute ( " SELECT count(*) FROM user WHERE user = %s AND host = %s " , ( user , host ) )
count = cursor . fetchone ( )
return count [ 0 ] > 0
2012-07-30 17:15:24 -05:00
def user_add ( cursor , user , host , password , new_priv ) :
cursor . execute ( " CREATE USER %s @ %s IDENTIFIED BY %s " , ( user , host , password ) )
2012-07-11 18:00:55 -05:00
if new_priv is not None :
for db_table , priv in new_priv . iteritems ( ) :
2012-07-22 12:11:39 -05:00
privileges_grant ( cursor , user , host , db_table , priv )
2012-07-11 18:00:55 -05:00
return True
2013-10-03 13:00:17 +02:00
def user_mod ( cursor , user , host , password , new_priv , append_privs ) :
2012-07-11 18:00:55 -05:00
changed = False
Only revoke GRANT OPTION when user actually has it
When revoking privileges from a user, the GRANT OPTION is always
revoked, even if the user doesn't have it. If the user exists, this
doesn't give an error, but if the user doesn't exist, it does:
mysql> GRANT ALL ON test.* TO 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE ALL ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
ERROR 1141 (42000): There is no such grant defined for user 'test' on
host 'localhost'
Additionally, in MySQL 5.6 this breaks replication because of
http://bugs.mysql.com/bug.php?id=68892.
Rather than revoking the GRANT OPTION and catching the error, check if
the user actually has it and only revoke it when he does.
2013-07-23 13:00:29 +02:00
grant_option = False
2012-07-11 18:00:55 -05:00
2014-12-01 10:38:47 -08:00
# Handle passwords
2012-07-30 17:15:24 -05:00
if password is not None :
2012-07-11 18:00:55 -05:00
cursor . execute ( " SELECT password FROM user WHERE user = %s AND host = %s " , ( user , host ) )
current_pass_hash = cursor . fetchone ( )
2012-07-30 17:15:24 -05:00
cursor . execute ( " SELECT PASSWORD( %s ) " , ( password , ) )
2012-07-11 18:00:55 -05:00
new_pass_hash = cursor . fetchone ( )
if current_pass_hash [ 0 ] != new_pass_hash [ 0 ] :
2012-07-30 17:15:24 -05:00
cursor . execute ( " SET PASSWORD FOR %s @ %s = PASSWORD( %s ) " , ( user , host , password ) )
2012-07-11 18:00:55 -05:00
changed = True
2014-12-01 10:38:47 -08:00
# Handle privileges
2012-07-11 18:00:55 -05:00
if new_priv is not None :
2012-07-22 12:11:39 -05:00
curr_priv = privileges_get ( cursor , user , host )
2012-07-11 18:00:55 -05:00
# If the user has privileges on a db.table that doesn't appear at all in
# the new specification, then revoke all privileges on it.
for db_table , priv in curr_priv . iteritems ( ) :
Only revoke GRANT OPTION when user actually has it
When revoking privileges from a user, the GRANT OPTION is always
revoked, even if the user doesn't have it. If the user exists, this
doesn't give an error, but if the user doesn't exist, it does:
mysql> GRANT ALL ON test.* TO 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE ALL ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
ERROR 1141 (42000): There is no such grant defined for user 'test' on
host 'localhost'
Additionally, in MySQL 5.6 this breaks replication because of
http://bugs.mysql.com/bug.php?id=68892.
Rather than revoking the GRANT OPTION and catching the error, check if
the user actually has it and only revoke it when he does.
2013-07-23 13:00:29 +02:00
# If the user has the GRANT OPTION on a db.table, revoke it first.
if " GRANT " in priv :
grant_option = True
2012-07-11 18:00:55 -05:00
if db_table not in new_priv :
2013-10-03 13:00:17 +02:00
if user != " root " and " PROXY " not in priv and not append_privs :
2015-05-05 17:54:02 -05:00
privileges_revoke ( cursor , user , host , db_table , priv , grant_option )
2013-06-11 14:37:30 +02:00
changed = True
2012-07-11 18:00:55 -05:00
# If the user doesn't currently have any privileges on a db.table, then
# we can perform a straight grant operation.
for db_table , priv in new_priv . iteritems ( ) :
if db_table not in curr_priv :
2012-07-22 12:11:39 -05:00
privileges_grant ( cursor , user , host , db_table , priv )
2012-07-11 18:00:55 -05:00
changed = True
# If the db.table specification exists in both the user's current privileges
# and in the new privileges, then we need to see if there's a difference.
db_table_intersect = set ( new_priv . keys ( ) ) & set ( curr_priv . keys ( ) )
for db_table in db_table_intersect :
priv_diff = set ( new_priv [ db_table ] ) ^ set ( curr_priv [ db_table ] )
if ( len ( priv_diff ) > 0 ) :
2014-07-21 10:37:05 -04:00
if not append_privs :
2015-05-05 17:54:02 -05:00
privileges_revoke ( cursor , user , host , db_table , curr_priv [ db_table ] , grant_option )
2012-07-22 12:11:39 -05:00
privileges_grant ( cursor , user , host , db_table , new_priv [ db_table ] )
2012-07-11 18:00:55 -05:00
changed = True
return changed
2012-07-22 12:11:39 -05:00
def user_delete ( cursor , user , host ) :
2014-11-25 01:46:09 -08:00
cursor . execute ( " DROP USER %s @ %s " , ( user , host ) )
2012-07-11 18:00:55 -05:00
return True
2012-07-22 12:11:39 -05:00
def privileges_get ( cursor , user , host ) :
2012-07-11 18:00:55 -05:00
""" MySQL doesn ' t have a better method of getting privileges aside from the
SHOW GRANTS query syntax , which requires us to then parse the returned string .
Here ' s an example of the string that is returned from MySQL:
GRANT USAGE ON * . * TO ' user ' @ ' localhost ' IDENTIFIED BY ' pass ' ;
This function makes the query and returns a dictionary containing the results .
The dictionary format is the same as that returned by privileges_unpack ( ) below .
"""
output = { }
2014-11-25 01:46:09 -08:00
cursor . execute ( " SHOW GRANTS FOR %s @ %s " , ( user , host ) )
2012-07-11 18:00:55 -05:00
grants = cursor . fetchall ( )
2012-11-14 20:02:39 -05:00
def pick ( x ) :
if x == ' ALL PRIVILEGES ' :
return ' ALL '
else :
return x
2012-07-11 18:00:55 -05:00
for grant in grants :
2014-12-25 17:36:51 -05:00
res = re . match ( " GRANT (.+) ON (.+) TO ' .* ' @ ' .+ ' ( IDENTIFIED BY PASSWORD ' .+ ' )? ?(.*) " , grant [ 0 ] )
2012-07-11 18:00:55 -05:00
if res is None :
2014-12-01 07:15:27 -08:00
raise InvalidPrivsError ( ' unable to parse the MySQL grant string: %s ' % grant [ 0 ] )
2012-07-11 18:00:55 -05:00
privileges = res . group ( 1 ) . split ( " , " )
2012-11-14 20:02:39 -05:00
privileges = [ pick ( x ) for x in privileges ]
2012-10-24 14:32:49 +02:00
if " WITH GRANT OPTION " in res . group ( 4 ) :
2012-10-30 20:42:07 -04:00
privileges . append ( ' GRANT ' )
2015-01-08 16:26:22 +00:00
if " REQUIRE SSL " in res . group ( 4 ) :
privileges . append ( ' REQUIRESSL ' )
2013-08-26 17:16:34 +01:00
db = res . group ( 2 )
2012-07-11 18:00:55 -05:00
output [ db ] = privileges
return output
def privileges_unpack ( priv ) :
""" Take a privileges string, typically passed as a parameter, and unserialize
it into a dictionary , the same format as privileges_get ( ) above . We have this
custom format to avoid using YAML / JSON strings inside YAML playbooks . Example
of a privileges string :
mydb . * : INSERT , UPDATE / anotherdb . * : SELECT / yetanother . * : ALL
The privilege USAGE stands for no privileges , so we add that in on * . * if it ' s
not specified in the string , as MySQL will always provide this by default .
"""
output = { }
2015-05-06 16:44:40 -05:00
privs = [ ]
2014-12-09 17:14:16 -05:00
for item in priv . strip ( ) . split ( ' / ' ) :
pieces = item . strip ( ) . split ( ' : ' )
2015-05-18 21:53:20 -04:00
dbpriv = pieces [ 0 ] . rsplit ( " . " , 1 )
pieces [ 0 ] = " ` %s `. %s " % ( dbpriv [ 0 ] . strip ( ' ` ' ) , dbpriv [ 1 ] )
2015-05-06 16:44:40 -05:00
if ' ( ' in pieces [ 1 ] :
output [ pieces [ 0 ] ] = re . split ( r ' , \ s*(?=[^)]*(?: \ (|$)) ' , pieces [ 1 ] . upper ( ) )
for i in output [ pieces [ 0 ] ] :
privs . append ( re . sub ( r ' \ (.* \ ) ' , ' ' , i ) )
else :
output [ pieces [ 0 ] ] = pieces [ 1 ] . upper ( ) . split ( ' , ' )
privs = output [ pieces [ 0 ] ]
new_privs = frozenset ( privs )
2014-11-25 01:46:09 -08:00
if not new_privs . issubset ( VALID_PRIVS ) :
raise InvalidPrivsError ( ' Invalid privileges specified: %s ' % new_privs . difference ( VALID_PRIVS ) )
2012-07-11 18:00:55 -05:00
if ' *.* ' not in output :
output [ ' *.* ' ] = [ ' USAGE ' ]
2015-01-08 16:26:22 +00:00
# if we are only specifying something like REQUIRESSL in *.* we still need
# to add USAGE as a privilege to avoid syntax errors
if priv . find ( ' REQUIRESSL ' ) != - 1 and ' USAGE ' not in output [ ' *.* ' ] :
output [ ' *.* ' ] . append ( ' USAGE ' )
2012-07-11 18:00:55 -05:00
return output
2015-05-05 17:54:02 -05:00
def privileges_revoke ( cursor , user , host , db_table , priv , grant_option ) :
2014-12-01 10:38:47 -08:00
# Escape '%' since mysql db.execute() uses a format string
db_table = db_table . replace ( ' % ' , ' %% ' )
Only revoke GRANT OPTION when user actually has it
When revoking privileges from a user, the GRANT OPTION is always
revoked, even if the user doesn't have it. If the user exists, this
doesn't give an error, but if the user doesn't exist, it does:
mysql> GRANT ALL ON test.* TO 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE ALL ON test.* FROM 'test'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> REVOKE GRANT OPTION ON test.* FROM 'test'@'localhost';
ERROR 1141 (42000): There is no such grant defined for user 'test' on
host 'localhost'
Additionally, in MySQL 5.6 this breaks replication because of
http://bugs.mysql.com/bug.php?id=68892.
Rather than revoking the GRANT OPTION and catching the error, check if
the user actually has it and only revoke it when he does.
2013-07-23 13:00:29 +02:00
if grant_option :
2014-11-25 01:46:09 -08:00
query = [ " REVOKE GRANT OPTION ON %s " % mysql_quote_identifier ( db_table , ' table ' ) ]
query . append ( " FROM %s @ %s " )
query = ' ' . join ( query )
cursor . execute ( query , ( user , host ) )
2015-05-26 12:36:46 -05:00
priv_string = " , " . join ( [ p for p in priv if p not in ( ' GRANT ' , ' REQUIRESSL ' ) ] )
2015-05-05 17:54:02 -05:00
query = [ " REVOKE %s ON %s " % ( priv_string , mysql_quote_identifier ( db_table , ' table ' ) ) ]
2014-11-25 01:46:09 -08:00
query . append ( " FROM %s @ %s " )
query = ' ' . join ( query )
2015-01-08 21:41:15 +00:00
cursor . execute ( query , ( user , host ) )
2012-07-11 18:00:55 -05:00
2012-07-22 12:11:39 -05:00
def privileges_grant ( cursor , user , host , db_table , priv ) :
2014-12-01 10:38:47 -08:00
# Escape '%' since mysql db.execute uses a format string and the
# specification of db and table often use a % (SQL wildcard)
db_table = db_table . replace ( ' % ' , ' %% ' )
2015-05-26 12:36:46 -05:00
priv_string = " , " . join ( [ p for p in priv if p not in ( ' GRANT ' , ' REQUIRESSL ' ) ] )
2014-11-25 01:46:09 -08:00
query = [ " GRANT %s ON %s " % ( priv_string , mysql_quote_identifier ( db_table , ' table ' ) ) ]
query . append ( " TO %s @ %s " )
2012-10-18 19:27:18 +02:00
if ' GRANT ' in priv :
2015-01-08 21:41:15 +00:00
query . append ( " WITH GRANT OPTION " )
2015-01-08 16:26:22 +00:00
if ' REQUIRESSL ' in priv :
2015-01-08 21:41:15 +00:00
query . append ( " REQUIRE SSL " )
2014-11-25 01:46:09 -08:00
query = ' ' . join ( query )
2015-01-08 21:41:15 +00:00
cursor . execute ( query , ( user , host ) )
2013-03-25 09:53:04 -04:00
2012-07-11 18:00:55 -05:00
# ===========================================
# Module execution.
#
2012-07-22 12:11:39 -05:00
def main ( ) :
module = AnsibleModule (
argument_spec = dict (
2012-07-30 17:15:24 -05:00
login_user = dict ( default = None ) ,
login_password = dict ( default = None ) ,
login_host = dict ( default = " localhost " ) ,
2015-03-03 14:23:07 -08:00
login_port = dict ( default = 3306 , type = ' int ' ) ,
2012-08-03 12:35:18 +02:00
login_unix_socket = dict ( default = None ) ,
2012-08-01 00:21:36 -04:00
user = dict ( required = True , aliases = [ ' name ' ] ) ,
2015-06-16 10:08:06 +06:00
password = dict ( default = None , no_log = True ) ,
2012-07-22 12:11:39 -05:00
host = dict ( default = " localhost " ) ,
state = dict ( default = " present " , choices = [ " absent " , " present " ] ) ,
priv = dict ( default = None ) ,
2015-05-18 16:33:46 -04:00
append_privs = dict ( default = False , type = ' bool ' ) ,
check_implicit_admin = dict ( default = False , type = ' bool ' ) ,
2015-02-20 12:30:27 -05:00
update_password = dict ( default = " always " , choices = [ " always " , " on_create " ] ) ,
2015-04-30 11:40:04 -04:00
config_file = dict ( default = " ~/.my.cnf " ) ,
2012-07-22 12:11:39 -05:00
)
)
2014-09-30 09:08:32 +02:00
login_user = module . params [ " login_user " ]
login_password = module . params [ " login_password " ]
2012-07-22 12:11:39 -05:00
user = module . params [ " user " ]
2012-07-30 17:15:24 -05:00
password = module . params [ " password " ]
2015-05-21 09:32:12 -04:00
host = module . params [ " host " ] . lower ( )
2012-07-22 12:11:39 -05:00
state = module . params [ " state " ]
priv = module . params [ " priv " ]
2013-07-01 11:56:04 +01:00
check_implicit_admin = module . params [ ' check_implicit_admin ' ]
2014-09-30 09:08:32 +02:00
config_file = module . params [ ' config_file ' ]
2013-10-03 13:00:17 +02:00
append_privs = module . boolean ( module . params [ " append_privs " ] )
2015-02-20 12:30:27 -05:00
update_password = module . params [ ' update_password ' ]
2012-07-22 12:11:39 -05:00
2015-05-08 10:40:26 -07:00
config_file = os . path . expanduser ( os . path . expandvars ( config_file ) )
2012-07-22 12:11:39 -05:00
if not mysqldb_found :
module . fail_json ( msg = " the python mysqldb module is required " )
if priv is not None :
try :
priv = privileges_unpack ( priv )
2014-11-25 01:46:09 -08:00
except Exception , e :
module . fail_json ( msg = " invalid privileges string: %s " % str ( e ) )
2012-07-11 18:00:55 -05:00
2013-07-01 11:56:04 +01:00
cursor = None
2012-07-11 18:00:55 -05:00
try :
2013-07-01 11:56:04 +01:00
if check_implicit_admin :
try :
2014-09-30 09:08:32 +02:00
cursor = connect ( module , ' root ' , ' ' , config_file )
2013-07-01 11:56:04 +01:00
except :
pass
if not cursor :
2014-09-30 09:08:32 +02:00
cursor = connect ( module , login_user , login_password , config_file )
2012-11-09 14:28:21 +01:00
except Exception , e :
2015-05-08 10:40:26 -07:00
module . fail_json ( msg = " unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s " % e )
2012-07-11 18:00:55 -05:00
if state == " present " :
2012-07-22 12:11:39 -05:00
if user_exists ( cursor , user , host ) :
2014-11-25 01:46:09 -08:00
try :
2015-02-20 12:30:27 -05:00
if update_password == ' always ' :
changed = user_mod ( cursor , user , host , password , priv , append_privs )
else :
changed = user_mod ( cursor , user , host , None , priv , append_privs )
2015-01-12 14:36:57 -08:00
except ( SQLParseError , InvalidPrivsError , MySQLdb . Error ) , e :
2014-12-04 13:35:07 -08:00
module . fail_json ( msg = str ( e ) )
2012-07-11 18:00:55 -05:00
else :
2012-07-30 17:15:24 -05:00
if password is None :
module . fail_json ( msg = " password parameter required when adding a user " )
2014-11-25 01:46:09 -08:00
try :
changed = user_add ( cursor , user , host , password , priv )
2015-01-12 14:36:57 -08:00
except ( SQLParseError , InvalidPrivsError , MySQLdb . Error ) , e :
2014-11-25 01:46:09 -08:00
module . fail_json ( msg = str ( e ) )
2012-07-11 18:00:55 -05:00
elif state == " absent " :
2012-07-22 12:11:39 -05:00
if user_exists ( cursor , user , host ) :
changed = user_delete ( cursor , user , host )
2012-07-11 18:00:55 -05:00
else :
changed = False
2012-07-22 12:11:39 -05:00
module . exit_json ( changed = changed , user = user )
2012-07-11 18:00:55 -05:00
2013-12-02 15:13:49 -05:00
# import module snippets
2013-12-02 15:11:23 -05:00
from ansible . module_utils . basic import *
2014-11-25 01:46:09 -08:00
from ansible . module_utils . database import *
if __name__ == ' __main__ ' :
main ( )