Merge pull request #2333 from leehuk/mysql_anon_user
- mysql: add host_all parameter, to work on all user accounts for that host
This commit is contained in:
Toshio Kuratomi
commit
7601f51ee8
1 changed files with 150 additions and 74 deletions
|
|
@ -47,6 +47,15 @@ options:
|
||||||
- the 'host' part of the MySQL username
|
- the 'host' part of the MySQL username
|
||||||
required: false
|
required: false
|
||||||
default: localhost
|
default: localhost
|
||||||
|
host_all:
|
||||||
|
description:
|
||||||
|
- override the host option, making ansible apply changes to
|
||||||
|
all hostnames for a given user. This option cannot be used
|
||||||
|
when creating users
|
||||||
|
required: false
|
||||||
|
choices: [ "yes", "no" ]
|
||||||
|
default: "no"
|
||||||
|
version_added: "2.1"
|
||||||
login_user:
|
login_user:
|
||||||
description:
|
description:
|
||||||
- The username used to authenticate with
|
- The username used to authenticate with
|
||||||
|
|
@ -132,6 +141,12 @@ author: "Jonathan Mainguy (@Jmainguy)"
|
||||||
'''
|
'''
|
||||||
|
|
||||||
EXAMPLES = """
|
EXAMPLES = """
|
||||||
|
# Removes anonymous user account for localhost
|
||||||
|
- mysql_user: name='' host=localhost state=absent
|
||||||
|
|
||||||
|
# Removes all anonymous user accounts
|
||||||
|
- mysql_user: name='' host_all=yes state=absent
|
||||||
|
|
||||||
# Create database user with name 'bob' and password '12345' with all database privileges
|
# Create database user with name 'bob' and password '12345' with all database privileges
|
||||||
- mysql_user: name=bob password=12345 priv=*.*:ALL state=present
|
- mysql_user: name=bob password=12345 priv=*.*:ALL state=present
|
||||||
|
|
||||||
|
|
@ -144,9 +159,12 @@ EXAMPLES = """
|
||||||
# Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
|
# Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
|
||||||
- mysql_user: name=bob append_privs=true priv=*.*:REQUIRESSL state=present
|
- mysql_user: name=bob append_privs=true priv=*.*:REQUIRESSL state=present
|
||||||
|
|
||||||
# Ensure no user named 'sally' exists, also passing in the auth credentials.
|
# Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials.
|
||||||
- mysql_user: login_user=root login_password=123456 name=sally state=absent
|
- mysql_user: login_user=root login_password=123456 name=sally state=absent
|
||||||
|
|
||||||
|
# Ensure no user named 'sally' exists at all
|
||||||
|
- mysql_user: name=sally host_all=yes state=absent
|
||||||
|
|
||||||
# Specify grants composed of more than one word
|
# Specify grants composed of more than one word
|
||||||
- mysql_user: name=replication password=12345 priv=*.*:"REPLICATION CLIENT" state=present
|
- mysql_user: name=replication password=12345 priv=*.*:"REPLICATION CLIENT" state=present
|
||||||
|
|
||||||
|
|
@ -231,16 +249,25 @@ def server_version_check(cursor):
|
||||||
else:
|
else:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def user_exists(cursor, user, host):
|
def user_exists(cursor, user, host, host_all):
|
||||||
cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
|
if host_all:
|
||||||
|
cursor.execute("SELECT count(*) FROM user WHERE user = %s", user)
|
||||||
|
else:
|
||||||
|
cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
|
||||||
|
|
||||||
count = cursor.fetchone()
|
count = cursor.fetchone()
|
||||||
return count[0] > 0
|
return count[0] > 0
|
||||||
|
|
||||||
def user_add(cursor, user, host, password, encrypted, new_priv):
|
def user_add(cursor, user, host, host_all, password, encrypted, new_priv):
|
||||||
|
# we cannot create users without a proper hostname
|
||||||
|
if host_all:
|
||||||
|
return False
|
||||||
|
|
||||||
if password and encrypted:
|
if password and encrypted:
|
||||||
cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user,host,password))
|
cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user,host,password))
|
||||||
elif password and not encrypted:
|
elif password and not encrypted:
|
||||||
cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
|
cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
|
||||||
|
|
||||||
if new_priv is not None:
|
if new_priv is not None:
|
||||||
for db_table, priv in new_priv.iteritems():
|
for db_table, priv in new_priv.iteritems():
|
||||||
privileges_grant(cursor, user,host,db_table,priv)
|
privileges_grant(cursor, user,host,db_table,priv)
|
||||||
|
|
@ -253,85 +280,130 @@ def is_hash(password):
|
||||||
ishash = True
|
ishash = True
|
||||||
return ishash
|
return ishash
|
||||||
|
|
||||||
def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
def user_mod(cursor, user, host, host_all, password, encrypted, new_priv, append_privs):
|
||||||
changed = False
|
changed = False
|
||||||
grant_option = False
|
grant_option = False
|
||||||
|
|
||||||
# Handle clear text and hashed passwords.
|
if host_all:
|
||||||
if bool(password):
|
hostnames = user_get_hostnames(cursor, user)
|
||||||
# Determine what user management method server uses
|
else:
|
||||||
old_user_mgmt = server_version_check(cursor)
|
hostnames = [host]
|
||||||
|
|
||||||
if old_user_mgmt:
|
for host in hostnames:
|
||||||
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
|
# Handle clear text and hashed passwords.
|
||||||
else:
|
if bool(password):
|
||||||
cursor.execute("SELECT authentication_string FROM user WHERE user = %s AND host = %s", (user,host))
|
# Determine what user management method server uses
|
||||||
current_pass_hash = cursor.fetchone()
|
old_user_mgmt = server_version_check(cursor)
|
||||||
|
|
||||||
if encrypted:
|
|
||||||
encrypted_string = (password)
|
|
||||||
if is_hash(password):
|
|
||||||
if current_pass_hash[0] != encrypted_string:
|
|
||||||
if old_user_mgmt:
|
|
||||||
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, password))
|
|
||||||
else:
|
|
||||||
cursor.execute("ALTER USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, password))
|
|
||||||
changed = True
|
|
||||||
else:
|
|
||||||
module.fail_json(msg="encrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))")
|
|
||||||
else:
|
|
||||||
if old_user_mgmt:
|
if old_user_mgmt:
|
||||||
cursor.execute("SELECT PASSWORD(%s)", (password,))
|
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
|
||||||
else:
|
else:
|
||||||
cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,))
|
cursor.execute("SELECT authentication_string FROM user WHERE user = %s AND host = %s", (user,host))
|
||||||
new_pass_hash = cursor.fetchone()
|
current_pass_hash = cursor.fetchone()
|
||||||
if current_pass_hash[0] != new_pass_hash[0]:
|
|
||||||
if old_user_mgmt:
|
if encrypted:
|
||||||
cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user, host, password))
|
encrypted_string = (password)
|
||||||
|
if is_hash(password):
|
||||||
|
if current_pass_hash[0] != encrypted_string:
|
||||||
|
if old_user_mgmt:
|
||||||
|
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, password))
|
||||||
|
else:
|
||||||
|
cursor.execute("ALTER USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, password))
|
||||||
|
changed = True
|
||||||
else:
|
else:
|
||||||
cursor.execute("ALTER USER %s@%s IDENTIFIED BY %s", (user, host, password))
|
module.fail_json(msg="encrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))")
|
||||||
changed = True
|
else:
|
||||||
|
if old_user_mgmt:
|
||||||
|
cursor.execute("SELECT PASSWORD(%s)", (password,))
|
||||||
# Handle privileges
|
else:
|
||||||
if new_priv is not None:
|
cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,))
|
||||||
curr_priv = privileges_get(cursor, user,host)
|
new_pass_hash = cursor.fetchone()
|
||||||
|
if current_pass_hash[0] != new_pass_hash[0]:
|
||||||
# If the user has privileges on a db.table that doesn't appear at all in
|
if old_user_mgmt:
|
||||||
# the new specification, then revoke all privileges on it.
|
cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user, host, password))
|
||||||
for db_table, priv in curr_priv.iteritems():
|
else:
|
||||||
# If the user has the GRANT OPTION on a db.table, revoke it first.
|
cursor.execute("ALTER USER %s@%s IDENTIFIED BY %s", (user, host, password))
|
||||||
if "GRANT" in priv:
|
changed = True
|
||||||
grant_option = True
|
|
||||||
if db_table not in new_priv:
|
|
||||||
if user != "root" and "PROXY" not in priv and not append_privs:
|
# Handle privileges
|
||||||
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
if new_priv is not None:
|
||||||
|
curr_priv = privileges_get(cursor, user,host)
|
||||||
|
|
||||||
|
# If the user has privileges on a db.table that doesn't appear at all in
|
||||||
|
# the new specification, then revoke all privileges on it.
|
||||||
|
for db_table, priv in curr_priv.iteritems():
|
||||||
|
# If the user has the GRANT OPTION on a db.table, revoke it first.
|
||||||
|
if "GRANT" in priv:
|
||||||
|
grant_option = True
|
||||||
|
if db_table not in new_priv:
|
||||||
|
if user != "root" and "PROXY" not in priv and not append_privs:
|
||||||
|
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
||||||
|
changed = True
|
||||||
|
|
||||||
|
# If the user doesn't currently have any privileges on a db.table, then
|
||||||
|
# we can perform a straight grant operation.
|
||||||
|
for db_table, priv in new_priv.iteritems():
|
||||||
|
if db_table not in curr_priv:
|
||||||
|
privileges_grant(cursor, user,host,db_table,priv)
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
# If the user doesn't currently have any privileges on a db.table, then
|
# Handle privileges
|
||||||
# we can perform a straight grant operation.
|
if new_priv is not None:
|
||||||
for db_table, priv in new_priv.iteritems():
|
curr_priv = privileges_get(cursor, user,host)
|
||||||
if db_table not in curr_priv:
|
|
||||||
privileges_grant(cursor, user,host,db_table,priv)
|
|
||||||
changed = True
|
|
||||||
|
|
||||||
# If the db.table specification exists in both the user's current privileges
|
# If the user has privileges on a db.table that doesn't appear at all in
|
||||||
# and in the new privileges, then we need to see if there's a difference.
|
# the new specification, then revoke all privileges on it.
|
||||||
db_table_intersect = set(new_priv.keys()) & set(curr_priv.keys())
|
for db_table, priv in curr_priv.iteritems():
|
||||||
for db_table in db_table_intersect:
|
# If the user has the GRANT OPTION on a db.table, revoke it first.
|
||||||
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
if "GRANT" in priv:
|
||||||
if (len(priv_diff) > 0):
|
grant_option = True
|
||||||
if not append_privs:
|
if db_table not in new_priv:
|
||||||
privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
|
if user != "root" and "PROXY" not in priv and not append_privs:
|
||||||
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
|
# If the user doesn't currently have any privileges on a db.table, then
|
||||||
|
# we can perform a straight grant operation.
|
||||||
|
for db_table, priv in new_priv.iteritems():
|
||||||
|
if db_table not in curr_priv:
|
||||||
|
privileges_grant(cursor, user,host,db_table,priv)
|
||||||
|
changed = True
|
||||||
|
|
||||||
|
# If the db.table specification exists in both the user's current privileges
|
||||||
|
# and in the new privileges, then we need to see if there's a difference.
|
||||||
|
db_table_intersect = set(new_priv.keys()) & set(curr_priv.keys())
|
||||||
|
for db_table in db_table_intersect:
|
||||||
|
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
||||||
|
if (len(priv_diff) > 0):
|
||||||
|
if not append_privs:
|
||||||
|
privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
|
||||||
|
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
||||||
|
changed = True
|
||||||
|
|
||||||
return changed
|
return changed
|
||||||
|
|
||||||
def user_delete(cursor, user, host):
|
def user_delete(cursor, user, host, host_all):
|
||||||
cursor.execute("DROP USER %s@%s", (user, host))
|
if host_all:
|
||||||
|
hostnames = user_get_hostnames(cursor, user)
|
||||||
|
|
||||||
|
for hostname in hostnames:
|
||||||
|
cursor.execute("DROP USER %s@%s", (user, hostname))
|
||||||
|
else:
|
||||||
|
cursor.execute("DROP USER %s@%s", (user, host))
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
def user_get_hostnames(cursor, user):
|
||||||
|
cursor.execute("SELECT Host FROM mysql.user WHERE user = %s", user)
|
||||||
|
hostnames_raw = cursor.fetchall()
|
||||||
|
hostnames = []
|
||||||
|
|
||||||
|
for hostname_raw in hostnames_raw:
|
||||||
|
hostnames.append(hostname_raw[0])
|
||||||
|
|
||||||
|
return hostnames
|
||||||
|
|
||||||
def privileges_get(cursor, user,host):
|
def privileges_get(cursor, user,host):
|
||||||
""" MySQL doesn't have a better method of getting privileges aside from the
|
""" MySQL doesn't have a better method of getting privileges aside from the
|
||||||
SHOW GRANTS query syntax, which requires us to then parse the returned string.
|
SHOW GRANTS query syntax, which requires us to then parse the returned string.
|
||||||
|
|
@ -451,6 +523,7 @@ def main():
|
||||||
password=dict(default=None, no_log=True),
|
password=dict(default=None, no_log=True),
|
||||||
encrypted=dict(default=False, type='bool'),
|
encrypted=dict(default=False, type='bool'),
|
||||||
host=dict(default="localhost"),
|
host=dict(default="localhost"),
|
||||||
|
host_all=dict(type="bool", default="no"),
|
||||||
state=dict(default="present", choices=["absent", "present"]),
|
state=dict(default="present", choices=["absent", "present"]),
|
||||||
priv=dict(default=None),
|
priv=dict(default=None),
|
||||||
append_privs=dict(default=False, type='bool'),
|
append_privs=dict(default=False, type='bool'),
|
||||||
|
|
@ -465,6 +538,7 @@ def main():
|
||||||
password = module.params["password"]
|
password = module.params["password"]
|
||||||
encrypted = module.boolean(module.params["encrypted"])
|
encrypted = module.boolean(module.params["encrypted"])
|
||||||
host = module.params["host"].lower()
|
host = module.params["host"].lower()
|
||||||
|
host_all = module.params["host_all"]
|
||||||
state = module.params["state"]
|
state = module.params["state"]
|
||||||
priv = module.params["priv"]
|
priv = module.params["priv"]
|
||||||
check_implicit_admin = module.params['check_implicit_admin']
|
check_implicit_admin = module.params['check_implicit_admin']
|
||||||
|
|
@ -496,25 +570,27 @@ def main():
|
||||||
module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s" % e)
|
module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s" % e)
|
||||||
|
|
||||||
if state == "present":
|
if state == "present":
|
||||||
if user_exists(cursor, user, host):
|
if user_exists(cursor, user, host, host_all):
|
||||||
try:
|
try:
|
||||||
if update_password == 'always':
|
if update_password == 'always':
|
||||||
changed = user_mod(cursor, user, host, password, encrypted, priv, append_privs)
|
changed = user_mod(cursor, user, host, host_all, password, encrypted, priv, append_privs)
|
||||||
else:
|
else:
|
||||||
changed = user_mod(cursor, user, host, None, encrypted, priv, append_privs)
|
changed = user_mod(cursor, user, host, host_all, None, encrypted, priv, append_privs)
|
||||||
|
|
||||||
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
||||||
module.fail_json(msg=str(e))
|
module.fail_json(msg=str(e))
|
||||||
else:
|
else:
|
||||||
if password is None:
|
if password is None:
|
||||||
module.fail_json(msg="password parameter required when adding a user")
|
module.fail_json(msg="password parameter required when adding a user")
|
||||||
|
if host_all:
|
||||||
|
module.fail_json(msg="host_all parameter cannot be used when adding a user")
|
||||||
try:
|
try:
|
||||||
changed = user_add(cursor, user, host, password, encrypted, priv)
|
changed = user_add(cursor, user, host, host_all, password, encrypted, priv)
|
||||||
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
||||||
module.fail_json(msg=str(e))
|
module.fail_json(msg=str(e))
|
||||||
elif state == "absent":
|
elif state == "absent":
|
||||||
if user_exists(cursor, user, host):
|
if user_exists(cursor, user, host, host_all):
|
||||||
changed = user_delete(cursor, user, host)
|
changed = user_delete(cursor, user, host, host_all)
|
||||||
else:
|
else:
|
||||||
changed = False
|
changed = False
|
||||||
module.exit_json(changed=changed, user=user)
|
module.exit_json(changed=changed, user=user)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue