|
|
@ -200,12 +200,19 @@ def user_exists(cursor, user, host, host_all):
|
|
|
|
count = cursor.fetchone()
|
|
|
|
count = cursor.fetchone()
|
|
|
|
return count[0] > 0
|
|
|
|
return count[0] > 0
|
|
|
|
|
|
|
|
|
|
|
|
def user_add(cursor, user, host, host_all, password, new_priv):
|
|
|
|
def user_add(cursor, user, host, host_all, password, encrypted, new_priv, check_mode):
|
|
|
|
# we cannot create users without a proper hostname
|
|
|
|
# we cannot create users without a proper hostname
|
|
|
|
if host_all:
|
|
|
|
if host_all:
|
|
|
|
return False
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
|
|
|
|
if check_mode:
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if password and encrypted:
|
|
|
|
|
|
|
|
cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user,host,password))
|
|
|
|
|
|
|
|
elif password and not encrypted:
|
|
|
|
|
|
|
|
cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
|
|
|
|
|
|
|
|
|
|
|
|
if new_priv is not None:
|
|
|
|
if new_priv is not None:
|
|
|
|
for db_table, priv in new_priv.iteritems():
|
|
|
|
for db_table, priv in new_priv.iteritems():
|
|
|
|
privileges_grant(cursor, user,host,db_table,priv)
|
|
|
|
privileges_grant(cursor, user,host,db_table,priv)
|
|
|
@ -218,7 +225,7 @@ def is_hash(password):
|
|
|
|
ishash = True
|
|
|
|
ishash = True
|
|
|
|
return ishash
|
|
|
|
return ishash
|
|
|
|
|
|
|
|
|
|
|
|
def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
|
|
|
def user_mod(cursor, user, host, host_all, password, encrypted, new_priv, append_privs, check_mode):
|
|
|
|
changed = False
|
|
|
|
changed = False
|
|
|
|
grant_option = False
|
|
|
|
grant_option = False
|
|
|
|
|
|
|
|
|
|
|
@ -235,17 +242,39 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
|
|
|
hostnames = [host]
|
|
|
|
hostnames = [host]
|
|
|
|
|
|
|
|
|
|
|
|
for host in hostnames:
|
|
|
|
for host in hostnames:
|
|
|
|
# Handle passwords
|
|
|
|
# Handle clear text and hashed passwords.
|
|
|
|
if password is not None:
|
|
|
|
if bool(password):
|
|
|
|
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
|
|
|
|
# Determine what user management method server uses
|
|
|
|
else:
|
|
|
|
old_user_mgmt = server_version_check(cursor)
|
|
|
|
cursor.execute("SELECT authentication_string FROM user WHERE user = %s AND host = %s", (user,host))
|
|
|
|
|
|
|
|
current_pass_hash = cursor.fetchone()
|
|
|
|
if old_user_mgmt:
|
|
|
|
|
|
|
|
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
|
|
|
|
if encrypted:
|
|
|
|
else:
|
|
|
|
encrypted_string = (password)
|
|
|
|
cursor.execute("SELECT authentication_string FROM user WHERE user = %s AND host = %s", (user,host))
|
|
|
|
if is_hash(password):
|
|
|
|
current_pass_hash = cursor.fetchone()
|
|
|
|
if current_pass_hash[0] != encrypted_string:
|
|
|
|
|
|
|
|
|
|
|
|
if encrypted:
|
|
|
|
|
|
|
|
encrypted_string = (password)
|
|
|
|
|
|
|
|
if is_hash(password):
|
|
|
|
|
|
|
|
if current_pass_hash[0] != encrypted_string:
|
|
|
|
|
|
|
|
if check_mode:
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
if old_user_mgmt:
|
|
|
|
|
|
|
|
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, password))
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
cursor.execute("ALTER USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, password))
|
|
|
|
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
module.fail_json(msg="encrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))")
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
if old_user_mgmt:
|
|
|
|
|
|
|
|
cursor.execute("SELECT PASSWORD(%s)", (password,))
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,))
|
|
|
|
|
|
|
|
new_pass_hash = cursor.fetchone()
|
|
|
|
|
|
|
|
if current_pass_hash[0] != new_pass_hash[0]:
|
|
|
|
|
|
|
|
if check_mode:
|
|
|
|
|
|
|
|
return True
|
|
|
|
if old_user_mgmt:
|
|
|
|
if old_user_mgmt:
|
|
|
|
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, password))
|
|
|
|
cursor.execute("SET PASSWORD FOR %s@%s = %s", (user, host, password))
|
|
|
|
else:
|
|
|
|
else:
|
|
|
@ -264,6 +293,8 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
|
|
|
grant_option = True
|
|
|
|
grant_option = True
|
|
|
|
if db_table not in new_priv:
|
|
|
|
if db_table not in new_priv:
|
|
|
|
if user != "root" and "PROXY" not in priv and not append_privs:
|
|
|
|
if user != "root" and "PROXY" not in priv and not append_privs:
|
|
|
|
|
|
|
|
if check_mode:
|
|
|
|
|
|
|
|
return True
|
|
|
|
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
|
|
|
privileges_revoke(cursor, user,host,db_table,priv,grant_option)
|
|
|
|
changed = True
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
|
@ -271,6 +302,8 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
|
|
|
# we can perform a straight grant operation.
|
|
|
|
# we can perform a straight grant operation.
|
|
|
|
for db_table, priv in new_priv.iteritems():
|
|
|
|
for db_table, priv in new_priv.iteritems():
|
|
|
|
if db_table not in curr_priv:
|
|
|
|
if db_table not in curr_priv:
|
|
|
|
|
|
|
|
if check_mode:
|
|
|
|
|
|
|
|
return True
|
|
|
|
privileges_grant(cursor, user,host,db_table,priv)
|
|
|
|
privileges_grant(cursor, user,host,db_table,priv)
|
|
|
|
changed = True
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
|
@ -280,6 +313,8 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
|
|
|
for db_table in db_table_intersect:
|
|
|
|
for db_table in db_table_intersect:
|
|
|
|
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
|
|
|
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
|
|
|
|
if (len(priv_diff) > 0):
|
|
|
|
if (len(priv_diff) > 0):
|
|
|
|
|
|
|
|
if check_mode:
|
|
|
|
|
|
|
|
return True
|
|
|
|
if not append_privs:
|
|
|
|
if not append_privs:
|
|
|
|
privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
|
|
|
|
privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option)
|
|
|
|
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
|
|
|
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
|
|
|
@ -287,7 +322,10 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
|
|
|
|
|
|
|
|
|
|
|
|
return changed
|
|
|
|
return changed
|
|
|
|
|
|
|
|
|
|
|
|
def user_delete(cursor, user, host, host_all):
|
|
|
|
def user_delete(cursor, user, host, host_all, check_mode):
|
|
|
|
|
|
|
|
if module.check_mode:
|
|
|
|
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
|
|
if host_all:
|
|
|
|
if host_all:
|
|
|
|
hostnames = user_get_hostnames(cursor, user)
|
|
|
|
hostnames = user_get_hostnames(cursor, user)
|
|
|
|
|
|
|
|
|
|
|
@ -437,7 +475,8 @@ def main():
|
|
|
|
ssl_cert=dict(default=None),
|
|
|
|
ssl_cert=dict(default=None),
|
|
|
|
ssl_key=dict(default=None),
|
|
|
|
ssl_key=dict(default=None),
|
|
|
|
ssl_ca=dict(default=None),
|
|
|
|
ssl_ca=dict(default=None),
|
|
|
|
)
|
|
|
|
),
|
|
|
|
|
|
|
|
supports_check_mode=True
|
|
|
|
)
|
|
|
|
)
|
|
|
|
login_user = module.params["login_user"]
|
|
|
|
login_user = module.params["login_user"]
|
|
|
|
login_password = module.params["login_password"]
|
|
|
|
login_password = module.params["login_password"]
|
|
|
@ -484,9 +523,9 @@ def main():
|
|
|
|
if user_exists(cursor, user, host):
|
|
|
|
if user_exists(cursor, user, host):
|
|
|
|
try:
|
|
|
|
try:
|
|
|
|
if update_password == 'always':
|
|
|
|
if update_password == 'always':
|
|
|
|
changed = user_mod(cursor, user, host, password, encrypted, priv, append_privs)
|
|
|
|
changed = user_mod(cursor, user, host, host_all, password, encrypted, priv, append_privs, module.check_mode)
|
|
|
|
else:
|
|
|
|
else:
|
|
|
|
changed = user_mod(cursor, user, host, None, encrypted, priv, append_privs)
|
|
|
|
changed = user_mod(cursor, user, host, host_all, None, encrypted, priv, append_privs, module.check_mode)
|
|
|
|
|
|
|
|
|
|
|
|
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
|
|
|
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
|
|
|
module.fail_json(msg=str(e))
|
|
|
|
module.fail_json(msg=str(e))
|
|
|
@ -496,12 +535,12 @@ def main():
|
|
|
|
if host_all:
|
|
|
|
if host_all:
|
|
|
|
module.fail_json(msg="host_all parameter cannot be used when adding a user")
|
|
|
|
module.fail_json(msg="host_all parameter cannot be used when adding a user")
|
|
|
|
try:
|
|
|
|
try:
|
|
|
|
changed = user_add(cursor, user, host, host_all, password, priv)
|
|
|
|
changed = user_add(cursor, user, host, host_all, password, encrypted, priv, module.check_mode)
|
|
|
|
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
|
|
|
except (SQLParseError, InvalidPrivsError, MySQLdb.Error), e:
|
|
|
|
module.fail_json(msg=str(e))
|
|
|
|
module.fail_json(msg=str(e))
|
|
|
|
elif state == "absent":
|
|
|
|
elif state == "absent":
|
|
|
|
if user_exists(cursor, user, host, host_all):
|
|
|
|
if user_exists(cursor, user, host, host_all):
|
|
|
|
changed = user_delete(cursor, user, host, host_all)
|
|
|
|
changed = user_delete(cursor, user, host, host_all, module.check_mode)
|
|
|
|
else:
|
|
|
|
else:
|
|
|
|
changed = False
|
|
|
|
changed = False
|
|
|
|
module.exit_json(changed=changed, user=user)
|
|
|
|
module.exit_json(changed=changed, user=user)
|
|
|
|