Merge pull request #1262 from bobobox/feature-fix-rds-mysql-revoke

mysql_user: Only revoke actually granted permissions, not 'ALL'.
2015-05-26 11:04:54 -07:00 · 2015-05-26 11:04:54 -07:00 · 2c7c23e8e7
commit 2c7c23e8e7
parent 58c6c3dd03 cda7a9be15
1 changed files with 6 additions and 5 deletions
--- a/database/mysql/mysql_user.py
+++ b/database/mysql/mysql_user.py
@ -245,7 +245,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
                grant_option = True
            if db_table not in new_priv:
                if user != "root" and "PROXY" not in priv and not append_privs:
-                    privileges_revoke(cursor, user,host,db_table,grant_option)
+                    privileges_revoke(cursor, user,host,db_table,priv,grant_option)
                    changed = True

        # If the user doesn't currently have any privileges on a db.table, then
@ -262,7 +262,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
            priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
            if (len(priv_diff) > 0):
                if not append_privs:
-                    privileges_revoke(cursor, user,host,db_table,grant_option)
+                    privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
                privileges_grant(cursor, user,host,db_table,new_priv[db_table])
                changed = True

@ -342,7 +342,7 @@ def privileges_unpack(priv):

    return output

-def privileges_revoke(cursor, user,host,db_table,grant_option):
+def privileges_revoke(cursor, user,host,db_table,priv,grant_option):
    # Escape '%' since mysql db.execute() uses a format string
    db_table = db_table.replace('%', '%%')
    if grant_option:
@ -350,7 +350,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
        query.append("FROM %s@%s")
        query = ' '.join(query)
        cursor.execute(query, (user, host))
-    query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')]
+    priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
+    query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
    query.append("FROM %s@%s")
    query = ' '.join(query)
    cursor.execute(query, (user, host))
@ -359,7 +360,7 @@ def privileges_grant(cursor, user,host,db_table,priv):
    # Escape '%' since mysql db.execute uses a format string and the
    # specification of db and table often use a % (SQL wildcard)
    db_table = db_table.replace('%', '%%')
-    priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv))
+    priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
    query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
    query.append("TO %s@%s")
    if 'GRANT' in priv: