Skip to content

Commit

Permalink
mysql_user: replace VALID_PRIVS by get_valid_privs() function (ansibl…
Browse files Browse the repository at this point in the history 
…e-collections#217)

* mysql_user: replace VALID_PRIVS by get_valid_privs() function

* Add EXTRA_PRIVS in case we need to add more privs in the future

* Add changelog fragment
  • Loading branch information
@rsicart
rsicart authored Sep 23, 2021
1 parent 4de0e25 commit 0ce1fa1
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 40 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/217-mysql-user-replace-get-valid-privs-from-show-privilegees.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- mysql_user - replace VALID_PRIVS constant by get_valid_privs() function (https://github.com/ansible-collections/community.mysql/pull/217).
49 changes: 11 additions & 38 deletions plugins/module_utils/user.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,41 +19,7 @@
)


VALID_PRIVS = frozenset(('CREATE', 'DROP', 'GRANT', 'GRANT OPTION',
'LOCK TABLES', 'REFERENCES', 'EVENT', 'ALTER',
'DELETE', 'INDEX', 'INSERT', 'SELECT', 'UPDATE',
'CREATE TEMPORARY TABLES', 'TRIGGER', 'CREATE VIEW',
'SHOW VIEW', 'ALTER ROUTINE', 'CREATE ROUTINE',
'EXECUTE', 'FILE', 'CREATE TABLESPACE', 'CREATE USER',
'PROCESS', 'PROXY', 'RELOAD', 'REPLICATION CLIENT',
'REPLICATION SLAVE', 'SHOW DATABASES', 'SHUTDOWN',
'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE',
'REQUIRESSL', # Deprecated, to be removed in version 3.0.0
'CREATE ROLE', 'DROP ROLE', 'APPLICATION_PASSWORD_ADMIN',
'AUDIT_ADMIN', 'BACKUP_ADMIN', 'BINLOG_ADMIN',
'BINLOG_ENCRYPTION_ADMIN', 'CLONE_ADMIN', 'CONNECTION_ADMIN',
'ENCRYPTION_KEY_ADMIN', 'FIREWALL_ADMIN', 'FIREWALL_USER',
'GROUP_REPLICATION_ADMIN', 'INNODB_REDO_LOG_ARCHIVE',
'NDB_STORED_USER', 'PERSIST_RO_VARIABLES_ADMIN',
'REPLICATION_APPLIER', 'REPLICATION_SLAVE_ADMIN',
'RESOURCE_GROUP_ADMIN', 'RESOURCE_GROUP_USER',
'ROLE_ADMIN', 'SESSION_VARIABLES_ADMIN', 'SET_USER_ID',
'SYSTEM_USER', 'SYSTEM_VARIABLES_ADMIN', 'SYSTEM_USER',
'TABLE_ENCRYPTION_ADMIN', 'VERSION_TOKEN_ADMIN',
'XA_RECOVER_ADMIN', 'LOAD FROM S3', 'SELECT INTO S3',
'INVOKE LAMBDA',
'ALTER ROUTINE',
'BINLOG ADMIN',
'BINLOG MONITOR',
'BINLOG REPLAY',
'CONNECTION ADMIN',
'READ_ONLY ADMIN',
'REPLICATION MASTER ADMIN',
'REPLICATION SLAVE ADMIN',
'SET USER',
'SHOW_ROUTINE',
'SLAVE MONITOR',
'REPLICA MONITOR',))
EXTRA_PRIVS = ['ALL', 'ALL PRIVILEGES', 'GRANT', 'REQUIRESSL']


class InvalidPrivsError(Exception):
Expand Down Expand Up @@ -141,6 +107,13 @@ def get_tls_requires(cursor, user, host):
return requires or None


def get_valid_privs(cursor):
cursor.execute("SHOW PRIVILEGES")
show_privs = [priv[0].upper() for priv in cursor.fetchall()]
all_privs = show_privs + EXTRA_PRIVS
return frozenset(all_privs)


def get_grants(cursor, user, host):
cursor.execute("SHOW GRANTS FOR %s@%s", (user, host))
grants_line = list(filter(lambda x: "ON *.*" in x[0], cursor.fetchall()))[0]
Expand Down Expand Up @@ -583,7 +556,7 @@ def sort_column_order(statement):
return '%s(%s)' % (priv_name, ', '.join(columns))


def privileges_unpack(priv, mode):
def privileges_unpack(priv, mode, valid_privs):
""" Take a privileges string, typically passed as a parameter, and unserialize
it into a dictionary, the same format as privileges_get() above. We have this
custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
Expand Down Expand Up @@ -630,8 +603,8 @@ def privileges_unpack(priv, mode):
output[pieces[0]] = normalize_col_grants(output[pieces[0]])

new_privs = frozenset(privs)
if not new_privs.issubset(VALID_PRIVS):
raise InvalidPrivsError('Invalid privileges specified: %s' % new_privs.difference(VALID_PRIVS))
if not new_privs.issubset(valid_privs):
raise InvalidPrivsError('Invalid privileges specified: %s' % new_privs.difference(valid_privs))

if '*.*' not in output:
output['*.*'] = ['USAGE']
Expand Down
4 changes: 3 additions & 1 deletion plugins/modules/mysql_role.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@
get_mode,
user_mod,
privileges_grant,
get_valid_privs,
privileges_unpack,
)
from ansible.module_utils._text import to_native
Expand Down Expand Up @@ -1013,7 +1014,8 @@ def main():
module.fail_json(msg=to_native(e))

try:
priv = privileges_unpack(priv, mode)
valid_privs = get_valid_privs(cursor)
priv = privileges_unpack(priv, mode, valid_privs)
except Exception as e:
module.fail_json(msg='Invalid privileges string: %s' % to_native(e))

Expand Down
4 changes: 3 additions & 1 deletion plugins/modules/mysql_user.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@
handle_requiressl_in_priv_string,
InvalidPrivsError,
limit_resources,
get_valid_privs,
privileges_unpack,
sanitize_requires,
user_add,
Expand Down Expand Up @@ -421,7 +422,8 @@ def main():
except Exception as e:
module.fail_json(msg=to_native(e))
try:
priv = privileges_unpack(priv, mode)
valid_privs = get_valid_privs(cursor)
priv = privileges_unpack(priv, mode, valid_privs)
except Exception as e:
module.fail_json(msg="invalid privileges string: %s" % to_native(e))

Expand Down

0 comments on commit 0ce1fa1

Please sign in to comment.