Merge pull request #1262 from bobobox/feature-fix-rds-mysql-revoke
mysql_user: Only revoke actually granted permissions, not 'ALL'.
This commit is contained in:
commit
2c7c23e8e7
1 changed files with 6 additions and 5 deletions
|
@ -245,7 +245,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
|
||||||
grant_option = True
|
grant_option = True
|
||||||
if db_table not in new_priv:
|
if db_table not in new_priv:
|
||||||
if user != "root" and "PROXY" not in priv and not append_privs:
|
if user != "root" and "PROXY" not in priv and not append_privs:
|
||||||
privileges_revoke(cursor, user,host,db_table,grant_option)
|
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
# If the user doesn't currently have any privileges on a db.table, then
|
# If the user doesn't currently have any privileges on a db.table, then
|
||||||
|
@ -262,7 +262,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
|
||||||
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
||||||
if (len(priv_diff) > 0):
|
if (len(priv_diff) > 0):
|
||||||
if not append_privs:
|
if not append_privs:
|
||||||
privileges_revoke(cursor, user,host,db_table,grant_option)
|
privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
|
||||||
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
|
@ -342,7 +342,7 @@ def privileges_unpack(priv):
|
||||||
|
|
||||||
return output
|
return output
|
||||||
|
|
||||||
def privileges_revoke(cursor, user,host,db_table,grant_option):
|
def privileges_revoke(cursor, user,host,db_table,priv,grant_option):
|
||||||
# Escape '%' since mysql db.execute() uses a format string
|
# Escape '%' since mysql db.execute() uses a format string
|
||||||
db_table = db_table.replace('%', '%%')
|
db_table = db_table.replace('%', '%%')
|
||||||
if grant_option:
|
if grant_option:
|
||||||
|
@ -350,7 +350,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
|
||||||
query.append("FROM %s@%s")
|
query.append("FROM %s@%s")
|
||||||
query = ' '.join(query)
|
query = ' '.join(query)
|
||||||
cursor.execute(query, (user, host))
|
cursor.execute(query, (user, host))
|
||||||
query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')]
|
priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
|
||||||
|
query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
|
||||||
query.append("FROM %s@%s")
|
query.append("FROM %s@%s")
|
||||||
query = ' '.join(query)
|
query = ' '.join(query)
|
||||||
cursor.execute(query, (user, host))
|
cursor.execute(query, (user, host))
|
||||||
|
@ -359,7 +360,7 @@ def privileges_grant(cursor, user,host,db_table,priv):
|
||||||
# Escape '%' since mysql db.execute uses a format string and the
|
# Escape '%' since mysql db.execute uses a format string and the
|
||||||
# specification of db and table often use a % (SQL wildcard)
|
# specification of db and table often use a % (SQL wildcard)
|
||||||
db_table = db_table.replace('%', '%%')
|
db_table = db_table.replace('%', '%%')
|
||||||
priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv))
|
priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
|
||||||
query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
|
query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
|
||||||
query.append("TO %s@%s")
|
query.append("TO %s@%s")
|
||||||
if 'GRANT' in priv:
|
if 'GRANT' in priv:
|
||||||
|
|
Loading…
Reference in a new issue