Merge pull request #1262 from bobobox/feature-fix-rds-mysql-revoke

mysql_user: Only revoke actually granted permissions, not 'ALL'.
This commit is contained in:
Toshio Kuratomi 2015-05-26 11:04:54 -07:00
commit 2c7c23e8e7

View file

@ -245,7 +245,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
grant_option = True grant_option = True
if db_table not in new_priv: if db_table not in new_priv:
if user != "root" and "PROXY" not in priv and not append_privs: if user != "root" and "PROXY" not in priv and not append_privs:
privileges_revoke(cursor, user,host,db_table,grant_option) privileges_revoke(cursor, user,host,db_table,priv,grant_option)
changed = True changed = True
# If the user doesn't currently have any privileges on a db.table, then # If the user doesn't currently have any privileges on a db.table, then
@ -262,7 +262,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table]) priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
if (len(priv_diff) > 0): if (len(priv_diff) > 0):
if not append_privs: if not append_privs:
privileges_revoke(cursor, user,host,db_table,grant_option) privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
privileges_grant(cursor, user,host,db_table,new_priv[db_table]) privileges_grant(cursor, user,host,db_table,new_priv[db_table])
changed = True changed = True
@ -342,7 +342,7 @@ def privileges_unpack(priv):
return output return output
def privileges_revoke(cursor, user,host,db_table,grant_option): def privileges_revoke(cursor, user,host,db_table,priv,grant_option):
# Escape '%' since mysql db.execute() uses a format string # Escape '%' since mysql db.execute() uses a format string
db_table = db_table.replace('%', '%%') db_table = db_table.replace('%', '%%')
if grant_option: if grant_option:
@ -350,7 +350,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
query.append("FROM %s@%s") query.append("FROM %s@%s")
query = ' '.join(query) query = ' '.join(query)
cursor.execute(query, (user, host)) cursor.execute(query, (user, host))
query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')] priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
query.append("FROM %s@%s") query.append("FROM %s@%s")
query = ' '.join(query) query = ' '.join(query)
cursor.execute(query, (user, host)) cursor.execute(query, (user, host))
@ -359,7 +360,7 @@ def privileges_grant(cursor, user,host,db_table,priv):
# Escape '%' since mysql db.execute uses a format string and the # Escape '%' since mysql db.execute uses a format string and the
# specification of db and table often use a % (SQL wildcard) # specification of db and table often use a % (SQL wildcard)
db_table = db_table.replace('%', '%%') db_table = db_table.replace('%', '%%')
priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv)) priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
query.append("TO %s@%s") query.append("TO %s@%s")
if 'GRANT' in priv: if 'GRANT' in priv: