- mysql: add user_anonymous parameter, which interacts with anonymous

users
- mysql; add host_all parameter, which forces iteration over all
  'user'@... matches
This commit is contained in:
Lee Hardy 2015-10-22 13:45:50 +01:00
parent 2e49d89be7
commit acdde856c5

View file

@ -30,6 +30,13 @@ options:
description: description:
- name of the user (role) to add or remove - name of the user (role) to add or remove
required: true required: true
user_anonymous:
description:
- username is to be ignored and anonymous users with no username
handled
required: false
choices: [ "yes", "no" ]
default: no
password: password:
description: description:
- set the user's password - set the user's password
@ -40,6 +47,14 @@ options:
- the 'host' part of the MySQL username - the 'host' part of the MySQL username
required: false required: false
default: localhost default: localhost
host_all:
description:
- override the host option, making ansible apply changes to
all hostnames for a given user. This option cannot be used
when creating users
required: false
choices: [ "yes", "no" ]
default: "no"
login_user: login_user:
description: description:
- The username used to authenticate with - The username used to authenticate with
@ -133,9 +148,12 @@ EXAMPLES = """
# Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself. # Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
- mysql_user: name=bob append_privs=true priv=*.*:REQUIRESSL state=present - mysql_user: name=bob append_privs=true priv=*.*:REQUIRESSL state=present
# Ensure no user named 'sally' exists, also passing in the auth credentials. # Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials.
- mysql_user: login_user=root login_password=123456 name=sally state=absent - mysql_user: login_user=root login_password=123456 name=sally state=absent
# Ensure no user named 'sally' exists at all
- mysql_user: name=sally host_all=yes state=absent
# Specify grants composed of more than one word # Specify grants composed of more than one word
- mysql_user: name=replication password=12345 priv=*.*:"REPLICATION CLIENT" state=present - mysql_user: name=replication password=12345 priv=*.*:"REPLICATION CLIENT" state=present
@ -206,22 +224,38 @@ def connect(module, login_user=None, login_password=None, config_file=''):
db_connection = MySQLdb.connect(**config) db_connection = MySQLdb.connect(**config)
return db_connection.cursor() return db_connection.cursor()
def user_exists(cursor, user, host): def user_exists(cursor, user, host, host_all):
if host_all:
cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host)) cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
else:
cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
count = cursor.fetchone() count = cursor.fetchone()
return count[0] > 0 return count[0] > 0
def user_add(cursor, user, host, password, new_priv): def user_add(cursor, user, host, host_all, password, new_priv):
# we cannot create users without a proper hostname
if host_all:
return False
cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password)) cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
if new_priv is not None: if new_priv is not None:
for db_table, priv in new_priv.iteritems(): for db_table, priv in new_priv.iteritems():
privileges_grant(cursor, user,host,db_table,priv) privileges_grant(cursor, user,host,db_table,priv)
return True return True
def user_mod(cursor, user, host, password, new_priv, append_privs): def user_mod(cursor, user, host, host_all, password, new_priv, append_privs):
changed = False changed = False
grant_option = False grant_option = False
# to simplify code, if we have a specific host and no host_all, we create
# a list with just host and loop over that
if host_all:
hostnames = user_get_hostnames(cursor, user)
else:
hostnames = [host]
for host in hostnames:
# Handle passwords # Handle passwords
if password is not None: if password is not None:
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host)) cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
@ -267,10 +301,27 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
return changed return changed
def user_delete(cursor, user, host): def user_delete(cursor, user, host, host_all):
if host_all:
hostnames = user_get_hostnames(cursor, user)
for hostname in hostnames:
cursor.execute("DROP USER %s@%s", (user, hostname))
else:
cursor.execute("DROP USER %s@%s", (user, host)) cursor.execute("DROP USER %s@%s", (user, host))
return True return True
def user_get_hostnames(cursor, user):
cursor.execute("SELECT Host FROM mysql.user WHERE user = %s", user)
hostnames_raw = cursor.fetchall()
hostnames = []
for hostname_raw in hostnames_raw:
hostnames.append(hostname_raw[0])
return hostnames
def privileges_get(cursor, user,host): def privileges_get(cursor, user,host):
""" MySQL doesn't have a better method of getting privileges aside from the """ MySQL doesn't have a better method of getting privileges aside from the
SHOW GRANTS query syntax, which requires us to then parse the returned string. SHOW GRANTS query syntax, which requires us to then parse the returned string.
@ -387,8 +438,10 @@ def main():
login_port=dict(default=3306, type='int'), login_port=dict(default=3306, type='int'),
login_unix_socket=dict(default=None), login_unix_socket=dict(default=None),
user=dict(required=True, aliases=['name']), user=dict(required=True, aliases=['name']),
user_anonymous=dict(type="bool", default="no"),
password=dict(default=None, no_log=True), password=dict(default=None, no_log=True),
host=dict(default="localhost"), host=dict(default="localhost"),
host_all=dict(type="bool", default="no"),
state=dict(default="present", choices=["absent", "present"]), state=dict(default="present", choices=["absent", "present"]),
priv=dict(default=None), priv=dict(default=None),
append_privs=dict(default=False, type='bool'), append_privs=dict(default=False, type='bool'),
@ -400,8 +453,10 @@ def main():
login_user = module.params["login_user"] login_user = module.params["login_user"]
login_password = module.params["login_password"] login_password = module.params["login_password"]
user = module.params["user"] user = module.params["user"]
user_anonymous = module.params["user_anonymous"]
password = module.params["password"] password = module.params["password"]
host = module.params["host"].lower() host = module.params["host"].lower()
host_all = module.params["host_all"]
state = module.params["state"] state = module.params["state"]
priv = module.params["priv"] priv = module.params["priv"]
check_implicit_admin = module.params['check_implicit_admin'] check_implicit_admin = module.params['check_implicit_admin']
@ -409,6 +464,9 @@ def main():
append_privs = module.boolean(module.params["append_privs"]) append_privs = module.boolean(module.params["append_privs"])
update_password = module.params['update_password'] update_password = module.params['update_password']
if user_anonymous:
user = ''
config_file = os.path.expanduser(os.path.expandvars(config_file)) config_file = os.path.expanduser(os.path.expandvars(config_file))
if not mysqldb_found: if not mysqldb_found:
module.fail_json(msg="the python mysqldb module is required") module.fail_json(msg="the python mysqldb module is required")
@ -433,25 +491,27 @@ def main():
module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s" % e) module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s" % e)
if state == "present": if state == "present":
if user_exists(cursor, user, host): if user_exists(cursor, user, host, host_all):
try: try:
if update_password == 'always': if update_password == 'always':
changed = user_mod(cursor, user, host, password, priv, append_privs) changed = user_mod(cursor, user, host, host_all, password, priv, append_privs)
else: else:
changed = user_mod(cursor, user, host, None, priv, append_privs) changed = user_mod(cursor, user, host, host_all, None, priv, append_privs)
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e: except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
module.fail_json(msg=str(e)) module.fail_json(msg=str(e))
else: else:
if password is None: if password is None:
module.fail_json(msg="password parameter required when adding a user") module.fail_json(msg="password parameter required when adding a user")
if host_all:
module.fail_json(msg="host_all parameter cannot be used when adding a user")
try: try:
changed = user_add(cursor, user, host, password, priv) changed = user_add(cursor, user, host, host_all, password, priv)
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e: except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
module.fail_json(msg=str(e)) module.fail_json(msg=str(e))
elif state == "absent": elif state == "absent":
if user_exists(cursor, user, host): if user_exists(cursor, user, host, host_all):
changed = user_delete(cursor, user, host) changed = user_delete(cursor, user, host, host_all)
else: else:
changed = False changed = False
module.exit_json(changed=changed, user=user) module.exit_json(changed=changed, user=user)