Only revoke actually granted permissions, not 'ALL'.
This prevents errors when the login_user does not have 'ALL' permissions, and the 'priv' value contains fewer permissions than are held by an existing user. This is particularly an issue when using an Amazon Web Services RDS instance, as there is no (accessible) user with 'ALL' permissions on *.*.
This commit is contained in:
parent
48c83a0d9d
commit
74b7ce9dcf
1 changed files with 5 additions and 4 deletions
|
@ -245,7 +245,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
|
||||||
grant_option = True
|
grant_option = True
|
||||||
if db_table not in new_priv:
|
if db_table not in new_priv:
|
||||||
if user != "root" and "PROXY" not in priv and not append_privs:
|
if user != "root" and "PROXY" not in priv and not append_privs:
|
||||||
privileges_revoke(cursor, user,host,db_table,grant_option)
|
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
# If the user doesn't currently have any privileges on a db.table, then
|
# If the user doesn't currently have any privileges on a db.table, then
|
||||||
|
@ -262,7 +262,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
|
||||||
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
||||||
if (len(priv_diff) > 0):
|
if (len(priv_diff) > 0):
|
||||||
if not append_privs:
|
if not append_privs:
|
||||||
privileges_revoke(cursor, user,host,db_table,grant_option)
|
privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
|
||||||
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
|
@ -342,7 +342,7 @@ def privileges_unpack(priv):
|
||||||
|
|
||||||
return output
|
return output
|
||||||
|
|
||||||
def privileges_revoke(cursor, user,host,db_table,grant_option):
|
def privileges_revoke(cursor, user,host,db_table,priv,grant_option):
|
||||||
# Escape '%' since mysql db.execute() uses a format string
|
# Escape '%' since mysql db.execute() uses a format string
|
||||||
db_table = db_table.replace('%', '%%')
|
db_table = db_table.replace('%', '%%')
|
||||||
if grant_option:
|
if grant_option:
|
||||||
|
@ -350,7 +350,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
|
||||||
query.append("FROM %s@%s")
|
query.append("FROM %s@%s")
|
||||||
query = ' '.join(query)
|
query = ' '.join(query)
|
||||||
cursor.execute(query, (user, host))
|
cursor.execute(query, (user, host))
|
||||||
query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')]
|
priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv))
|
||||||
|
query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
|
||||||
query.append("FROM %s@%s")
|
query.append("FROM %s@%s")
|
||||||
query = ' '.join(query)
|
query = ' '.join(query)
|
||||||
cursor.execute(query, (user, host))
|
cursor.execute(query, (user, host))
|
||||||
|
|
Loading…
Reference in a new issue