- mysql: add user_anonymous parameter, which interacts with anonymous users - mysql; add host_all parameter, which forces iteration over all 'user'@... matches

pull/18777/head
Lee Hardy 9 years ago committed by Matt Clay
parent f435f887fa
commit 1113975741

@ -31,6 +31,13 @@ options:
- name of the user (role) to add or remove - name of the user (role) to add or remove
required: true required: true
default: null default: null
user_anonymous:
description:
- username is to be ignored and anonymous users with no username
handled
required: false
choices: [ "yes", "no" ]
default: no
password: password:
description: description:
- set the user's password. (Required when adding a user) - set the user's password. (Required when adding a user)
@ -48,6 +55,14 @@ options:
- the 'host' part of the MySQL username - the 'host' part of the MySQL username
required: false required: false
default: localhost default: localhost
host_all:
description:
- override the host option, making ansible apply changes to
all hostnames for a given user. This option cannot be used
when creating users
required: false
choices: [ "yes", "no" ]
default: "no"
login_user: login_user:
description: description:
- The username used to authenticate with - The username used to authenticate with
@ -145,9 +160,12 @@ EXAMPLES = """
# Modifiy user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself. # Modifiy user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
- mysql_user: name=bob append_privs=true priv=*.*:REQUIRESSL state=present - mysql_user: name=bob append_privs=true priv=*.*:REQUIRESSL state=present
# Ensure no user named 'sally' exists, also passing in the auth credentials. # Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials.
- mysql_user: login_user=root login_password=123456 name=sally state=absent - mysql_user: login_user=root login_password=123456 name=sally state=absent
# Ensure no user named 'sally' exists at all
- mysql_user: name=sally host_all=yes state=absent
# Specify grants composed of more than one word # Specify grants composed of more than one word
- mysql_user: name=replication password=12345 priv=*.*:"REPLICATION CLIENT" state=present - mysql_user: name=replication password=12345 priv=*.*:"REPLICATION CLIENT" state=present
@ -215,77 +233,46 @@ def connect(module, login_user=None, login_password=None, config_file=''):
db_connection = MySQLdb.connect(**config) db_connection = MySQLdb.connect(**config)
return db_connection.cursor() return db_connection.cursor()
# User Authentication Management was change in MySQL 5.7 def user_exists(cursor, user, host, host_all):
# This is a generic check for if the server version is less than version 5.7 if host_all:
def server_version_check(cursor): cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
cursor.execute("SELECT VERSION()");
result = cursor.fetchone()
version_str = result[0]
version = version_str.split('.')
if (int(version[0]) <= 5 and int(version[1]) < 7):
return True
else: else:
return False
def user_exists(cursor, user, host):
cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host)) cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
count = cursor.fetchone() count = cursor.fetchone()
return count[0] > 0 return count[0] > 0
def user_add(cursor, user, host, password, encrypted, new_priv): def user_add(cursor, user, host, host_all, password, new_priv):
if password and encrypted: # we cannot create users without a proper hostname
cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user,host,password)) if host_all:
elif password and not encrypted: return False
cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password)) cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
if new_priv is not None: if new_priv is not None:
for db_table, priv in new_priv.iteritems(): for db_table, priv in new_priv.iteritems():
privileges_grant(cursor, user,host,db_table,priv) privileges_grant(cursor, user,host,db_table,priv)
return True return True
def is_hash(password): def user_mod(cursor, user, host, host_all, password, new_priv, append_privs):
ishash = False
if len(password) == 41 and password[0] == '*':
if frozenset(password[1:]).issubset(string.hexdigits):
ishash = True
return ishash
def user_mod(cursor, user, host, password, password_hash, new_priv, append_privs):
changed = False changed = False
grant_option = False grant_option = False
# Handle clear text and hashed passwords. # to simplify code, if we have a specific host and no host_all, we create
if bool(password): # a list with just host and loop over that
# Determine what user management method server uses if host_all:
old_user_mgmt = server_version_check(cursor) hostnames = user_get_hostnames(cursor, user)
else:
hostnames = [host]
if old_user_mgmt: for host in hostnames:
# Handle passwords
if password is not None:
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host)) cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
else:
cursor.execute("SELECT authentication_string FROM user WHERE user = %s AND host = %s", (user,host))
current_pass_hash = cursor.fetchone() current_pass_hash = cursor.fetchone()
if encrypted:
if is_hash(password):
if current_pass_hash[0] != encrypted:
if old_user_mgmt:
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, password))
else:
cursor.execute("ALTER USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, password))
changed = True
else:
module.fail_json(msg="encrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))")
else:
if old_user_mgmt:
cursor.execute("SELECT PASSWORD(%s)", (password,)) cursor.execute("SELECT PASSWORD(%s)", (password,))
else:
cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,))
new_pass_hash = cursor.fetchone() new_pass_hash = cursor.fetchone()
if current_pass_hash[0] != new_pass_hash[0]: if current_pass_hash[0] != new_pass_hash[0]:
if old_user_mgmt:
cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password)) cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password))
else:
cursor.execute("ALTER USER %s@%s IDENTIFIED BY %s", (user, host, password))
changed = True changed = True
# Handle privileges # Handle privileges
@ -323,10 +310,27 @@ def user_mod(cursor, user, host, password, password_hash, new_priv, append_privs
return changed return changed
def user_delete(cursor, user, host): def user_delete(cursor, user, host, host_all):
if host_all:
hostnames = user_get_hostnames(cursor, user)
for hostname in hostnames:
cursor.execute("DROP USER %s@%s", (user, hostname))
else:
cursor.execute("DROP USER %s@%s", (user, host)) cursor.execute("DROP USER %s@%s", (user, host))
return True return True
def user_get_hostnames(cursor, user):
cursor.execute("SELECT Host FROM mysql.user WHERE user = %s", user)
hostnames_raw = cursor.fetchall()
hostnames = []
for hostname_raw in hostnames_raw:
hostnames.append(hostname_raw[0])
return hostnames
def privileges_get(cursor, user,host): def privileges_get(cursor, user,host):
""" MySQL doesn't have a better method of getting privileges aside from the """ MySQL doesn't have a better method of getting privileges aside from the
SHOW GRANTS query syntax, which requires us to then parse the returned string. SHOW GRANTS query syntax, which requires us to then parse the returned string.
@ -443,9 +447,11 @@ def main():
login_port=dict(default=3306, type='int'), login_port=dict(default=3306, type='int'),
login_unix_socket=dict(default=None), login_unix_socket=dict(default=None),
user=dict(required=True, aliases=['name']), user=dict(required=True, aliases=['name']),
user_anonymous=dict(type="bool", default="no"),
password=dict(default=None, no_log=True), password=dict(default=None, no_log=True),
encrypted=dict(default=False, type='bool'), encrypted=dict(default=False, type='bool'),
host=dict(default="localhost"), host=dict(default="localhost"),
host_all=dict(type="bool", default="no"),
state=dict(default="present", choices=["absent", "present"]), state=dict(default="present", choices=["absent", "present"]),
priv=dict(default=None), priv=dict(default=None),
append_privs=dict(default=False, type='bool'), append_privs=dict(default=False, type='bool'),
@ -457,9 +463,11 @@ def main():
login_user = module.params["login_user"] login_user = module.params["login_user"]
login_password = module.params["login_password"] login_password = module.params["login_password"]
user = module.params["user"] user = module.params["user"]
user_anonymous = module.params["user_anonymous"]
password = module.params["password"] password = module.params["password"]
encrypted = module.boolean(module.params["encrypted"]) encrypted = module.boolean(module.params["encrypted"])
host = module.params["host"].lower() host = module.params["host"].lower()
host_all = module.params["host_all"]
state = module.params["state"] state = module.params["state"]
priv = module.params["priv"] priv = module.params["priv"]
check_implicit_admin = module.params['check_implicit_admin'] check_implicit_admin = module.params['check_implicit_admin']
@ -467,6 +475,10 @@ def main():
append_privs = module.boolean(module.params["append_privs"]) append_privs = module.boolean(module.params["append_privs"])
update_password = module.params['update_password'] update_password = module.params['update_password']
if user_anonymous:
user = ''
config_file = os.path.expanduser(os.path.expandvars(config_file))
if not mysqldb_found: if not mysqldb_found:
module.fail_json(msg="the python mysqldb module is required") module.fail_json(msg="the python mysqldb module is required")
@ -490,18 +502,27 @@ def main():
module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials") module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials")
if state == "present": if state == "present":
if user_exists(cursor, user, host): if user_exists(cursor, user, host, host_all):
changed = user_mod(cursor, user, host, password, password_hash, priv, append_privs) try:
if update_password == 'always':
changed = user_mod(cursor, user, host, host_all, password, priv, append_privs)
else:
changed = user_mod(cursor, user, host, host_all, None, priv, append_privs)
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
module.fail_json(msg=str(e))
else: else:
if password is None: if password is None:
module.fail_json(msg="password parameter required when adding a user") module.fail_json(msg="password parameter required when adding a user")
if host_all:
module.fail_json(msg="host_all parameter cannot be used when adding a user")
try: try:
changed = user_add(cursor, user, host, password, encrypted, priv) changed = user_add(cursor, user, host, host_all, password, priv)
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e: except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
module.fail_json(msg=str(e)) module.fail_json(msg=str(e))
elif state == "absent": elif state == "absent":
if user_exists(cursor, user, host): if user_exists(cursor, user, host, host_all):
changed = user_delete(cursor, user, host) changed = user_delete(cursor, user, host, host_all)
else: else:
changed = False changed = False
module.exit_json(changed=changed, user=user) module.exit_json(changed=changed, user=user)

Loading…
Cancel
Save