Add grants to influxdb_user (#46216)

* add grants management for module influxdb_user

* influxdb_user : add documentation for the "grants" argument
pull/55054/head
aperrin66 6 years ago committed by René Moser
parent 3cd98a9fcc
commit 6eedc4d075

@ -43,6 +43,14 @@ options:
- State of the user.
choices: [ present, absent ]
default: present
grants:
description:
- Privileges to grant to this user. Takes a list of dicts containing the
"database" and "privilege" keys.
- If this argument is not provided, the current grants will be left alone.
If an empty list is provided, all grants for the user will be removed.
default: None
version_added: 2.8
extends_documentation_fragment: influxdb
'''
@ -68,6 +76,18 @@ EXAMPLES = '''
login_username: "{{ influxdb_username }}"
login_password: "{{ influxdb_password }}"
- name: Create a user on localhost with privileges
influxdb_user:
user_name: john
user_password: s3cr3t
login_username: "{{ influxdb_username }}"
login_password: "{{ influxdb_password }}"
grants:
- database: 'collectd'
privilege: 'WRITE'
- database: 'graphite'
privilege: 'READ'
- name: Destroy a user using custom login credentials
influxdb_user:
user_name: john
@ -82,6 +102,7 @@ RETURN = '''
import ansible.module_utils.urls
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_native
import ansible.module_utils.influxdb as influx
@ -95,7 +116,7 @@ def find_user(module, client, user_name):
user_result = user
break
except (ansible.module_utils.urls.ConnectionError, influx.exceptions.InfluxDBClientError) as e:
module.fail_json(msg=str(e))
module.fail_json(msg=to_native(e))
return user_result
@ -107,7 +128,7 @@ def check_user_password(module, client, user_name, user_password):
if e.code == 401:
return False
except ansible.module_utils.urls.ConnectionError as e:
module.fail_json(msg=str(e))
module.fail_json(msg=to_native(e))
finally:
# restore previous user
client.switch_user(module.params['username'], module.params['password'])
@ -119,7 +140,7 @@ def set_user_password(module, client, user_name, user_password):
try:
client.set_user_password(user_name, user_password)
except ansible.module_utils.urls.ConnectionError as e:
module.fail_json(msg=str(e))
module.fail_json(msg=to_native(e))
def create_user(module, client, user_name, user_password, admin):
@ -127,9 +148,7 @@ def create_user(module, client, user_name, user_password, admin):
try:
client.create_user(user_name, user_password, admin)
except ansible.module_utils.urls.ConnectionError as e:
module.fail_json(msg=str(e))
module.exit_json(changed=True)
module.fail_json(msg=to_native(e))
def drop_user(module, client, user_name):
@ -142,13 +161,51 @@ def drop_user(module, client, user_name):
module.exit_json(changed=True)
def set_user_grants(module, client, user_name, grants):
changed = False
try:
current_grants = client.get_list_privileges(user_name)
# Fix privileges wording
for i, v in enumerate(current_grants):
if v['privilege'] == 'ALL PRIVILEGES':
v['privilege'] = 'ALL'
current_grants[i] = v
elif v['privilege'] == 'NO PRIVILEGES':
del(current_grants[i])
# check if the current grants are included in the desired ones
for current_grant in current_grants:
if current_grant not in grants:
if not module.check_mode:
client.revoke_privilege(current_grant['privilege'],
current_grant['database'],
user_name)
changed = True
# check if the desired grants are included in the current ones
for grant in grants:
if grant not in current_grants:
if not module.check_mode:
client.grant_privilege(grant['privilege'],
grant['database'],
user_name)
changed = True
except influx.exceptions.InfluxDBClientError as e:
module.fail_json(msg=e.content)
return changed
def main():
argument_spec = influx.InfluxDb.influxdb_argument_spec()
argument_spec.update(
state=dict(default='present', type='str', choices=['present', 'absent']),
user_name=dict(required=True, type='str'),
user_password=dict(required=False, type='str', no_log=True),
admin=dict(default='False', type='bool')
admin=dict(default='False', type='bool'),
grants=dict(type='list')
)
module = AnsibleModule(
argument_spec=argument_spec,
@ -159,14 +216,15 @@ def main():
user_name = module.params['user_name']
user_password = module.params['user_password']
admin = module.params['admin']
grants = module.params['grants']
influxdb = influx.InfluxDb(module)
client = influxdb.connect_to_influxdb()
user = find_user(module, client, user_name)
if state == 'present':
if user:
changed = False
if state == 'present':
if user:
if not check_user_password(module, client, user_name, user_password) and user_password is not None:
set_user_password(module, client, user_name, user_password)
changed = True
@ -179,12 +237,18 @@ def main():
client.revoke_admin_privileges(user_name)
changed = True
except influx.exceptions.InfluxDBClientError as e:
module.fail_json(msg=str(e))
module.fail_json(msg=to_native(e))
module.exit_json(changed=changed)
else:
user_password = user_password or ''
create_user(module, client, user_name, user_password, admin)
changed = True
if grants is not None:
if set_user_grants(module, client, user_name, grants):
changed = True
module.exit_json(changed=changed)
if state == 'absent':
if user:

Loading…
Cancel
Save