-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mysql_user: add option to reuse password of existing user when creating a new one #344
Comments
Hello @betanummeric Can't this be solved outside of mysql.user by using items and adding hosts to the list as required:
This works for all kind of auth methods and no need to read the hashes ... |
Hi @hubiongithub, my point is that I want to reuse a password/hash which only exists on the mysql/mariadb instance - I don't know it in the inventory or playbook. (The truth lies in the database, not in ansible.) Of course I can query the existing hash outside of the mysql_user module and pass it there with My PR just looks for an existing |
As @hubiongithub already said, you have an easy alternative solution, which is storing credentials in a vault and setting them with a loop, using same credentials for same usernames. It seems a very specific use case to me. In what situation do you need to manage database users without managing their credentials? |
Hi @rsicart I have a desired state of database users, each of which consists of a name and a list of allowed source addresses. I am using the module to ensure the desired users exist on the MySQL/MariaDB instance. I create a user with a generated initial password and send the password to the person who owns the user with the request to change it. I am not storing the password in the desired state because a database user can change its own password anytime (and is encouraged to do so) and I don't want to break access by overwriting the changed password. So far, this works fine with In MySQL/MariaDB, a password is an attribute of a username-address-pair. I want to simplify that, so that the same password is used for all addresses of the same username. This makes it consistent with PostgreSQL. Hence, when creating a new username-address-pair and a different pair with the same username already exists, I need to reuse the password and can skip sending an initial password to the person owning the user. This part can be implemented with the proposed I thought that others may find that useful too, so I implemented it in the module. If you say this is too specific, I am fine with putting the logic in my own code outside of the module. |
Hey, thanks for the details, I understand better now. I'm not closed to that, just want to be sure to understand. I'd like to know what other collaborators think about that :) @ |
@betanummeric thanks for bringing this up! My opinion: the case feels specific to me to introduce a new value for that (though i'm not a user). |
Are there any more opinions? Can we decide on merging or rejecting? |
My opinion is that what @betanummeric asks is not that silly: I don't have the use case but I would have the same workflow if I needed to alter user settings without knowing it's password. Moreover I ask users to set their own passwords, which I never store, which means if I need to manipulate user data, all I'll have is a hash. The main difficulty IMHO is the implementation: will someone work on it ? 😉 |
Hi @bmalynovytch, I already implemented it, see PR #365. |
Sorry for the noise ^^ |
ISSUE TYPE
COMPONENT NAME
mysql_user
SUMMARY
In MySQL/MariaDB the password is a property of a username-source-address-combination. However, I want to use the same password per username, for all source addresses of that username. (I only need password authentication, I'm not sure how this generalizes to other authentication methods).
For that, I would need to reuse the existing password when creating a new user with the same name. This new behavior could be enabled with a new value for the existing module argument:
update_password: on_new_username
.For further processing, I need a
password_changed
boolean in the module return object. This could/should also be used to indicate whether the password of an existing user was changed.I can submit a PR for this.
EXAMPLE
When I request a new user with
"test"@"localhost"
already exists with passwordexistingpassword
, I would like to get the user"test"@"2001:db8::1"
with passwordexistingpassword
(and ignore thenewpassword
).password_changed
should befalse
.newpassword
.password_changed
should betrue
.test
, the"test"@"2001:db8::1"
user is created normally with the passwordnewpassword
.password_changed
should betrue
.The text was updated successfully, but these errors were encountered: