@ -47,6 +47,15 @@ options:
- the ' host ' part of the MySQL username
- the ' host ' part of the MySQL username
required : false
required : false
default : localhost
default : localhost
host_all :
description :
- override the host option , making ansible apply changes to
all hostnames for a given user . This option cannot be used
when creating users
required : false
choices : [ " yes " , " no " ]
default : " no "
version_added : " 2.1 "
login_user :
login_user :
description :
description :
- The username used to authenticate with
- The username used to authenticate with
@ -132,6 +141,12 @@ author: "Jonathan Mainguy (@Jmainguy)"
''' '''
EXAMPLES = """ EXAMPLES = """
# Removes anonymous user account for localhost
- mysql_user : name = ' ' host = localhost state = absent
# Removes all anonymous user accounts
- mysql_user : name = ' ' host_all = yes state = absent
# Create database user with name 'bob' and password '12345' with all database privileges # Create database user with name 'bob' and password '12345' with all database privileges
- mysql_user : name = bob password = 12345 priv = * . * : ALL state = present - mysql_user : name = bob password = 12345 priv = * . * : ALL state = present
@ -144,9 +159,12 @@ EXAMPLES = """
# Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself. # Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
- mysql_user : name = bob append_privs = true priv = * . * : REQUIRESSL state = present - mysql_user : name = bob append_privs = true priv = * . * : REQUIRESSL state = present
# Ensure no user named 'sally' exists, also passing in the auth credentials.# Ensure no user named 'sally' @'localhost' exists, also passing in the auth credentials.
- mysql_user : login_user = root login_password = 123456 name = sally state = absent - mysql_user : login_user = root login_password = 123456 name = sally state = absent
# Ensure no user named 'sally' exists at all
- mysql_user : name = sally host_all = yes state = absent
# Specify grants composed of more than one word # Specify grants composed of more than one word
- mysql_user : name = replication password = 12345 priv = * . * : " REPLICATION CLIENT " state = present - mysql_user : name = replication password = 12345 priv = * . * : " REPLICATION CLIENT " state = present
@ -231,16 +249,25 @@ def server_version_check(cursor):
else :
else :
return False
return False
def user_exists ( cursor , user , host ) : def user_exists ( cursor , user , host , host_all ) :
if host_all :
cursor . execute ( " SELECT count(*) FROM user WHERE user = %s " , user )
else :
cursor . execute ( " SELECT count(*) FROM user WHERE user = %s AND host = %s " , ( user , host ) )
cursor . execute ( " SELECT count(*) FROM user WHERE user = %s AND host = %s " , ( user , host ) )
count = cursor . fetchone ( )
count = cursor . fetchone ( )
return count [ 0 ] > 0
return count [ 0 ] > 0
def user_add ( cursor , user , host , password , encrypted , new_priv ) : def user_add ( cursor , user , host , host_all , password , encrypted , new_priv ) :
# we cannot create users without a proper hostname
if host_all :
return False
if password and encrypted :
if password and encrypted :
cursor . execute ( " CREATE USER %s @ %s IDENTIFIED BY PASSWORD %s " , ( user , host , password ) )
cursor . execute ( " CREATE USER %s @ %s IDENTIFIED BY PASSWORD %s " , ( user , host , password ) )
elif password and not encrypted :
elif password and not encrypted :
cursor . execute ( " CREATE USER %s @ %s IDENTIFIED BY %s " , ( user , host , password ) )
cursor . execute ( " CREATE USER %s @ %s IDENTIFIED BY %s " , ( user , host , password ) )
if new_priv is not None :
if new_priv is not None :
for db_table , priv in new_priv . iteritems ( ) :
for db_table , priv in new_priv . iteritems ( ) :
privileges_grant ( cursor , user , host , db_table , priv )
privileges_grant ( cursor , user , host , db_table , priv )
@ -253,10 +280,16 @@ def is_hash(password):
ishash = True
ishash = True
return ishash
return ishash
def user_mod ( cursor , user , host , , encrypted , new_priv , append_privs ) : def user_mod ( cursor , user , host , host_all, password, encrypted , new_priv , append_privs ) :
changed = False
changed = False
grant_option = False
grant_option = False
if host_all :
hostnames = user_get_hostnames ( cursor , user )
else :
hostnames = [ host ]
for host in hostnames :
# Handle clear text and hashed passwords.
# Handle clear text and hashed passwords.
if bool ( password ) :
if bool ( password ) :
# Determine what user management method server uses
# Determine what user management method server uses
@ -293,6 +326,28 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
changed = True
changed = True
# Handle privileges
if new_priv is not None :
curr_priv = privileges_get ( cursor , user , host )
# If the user has privileges on a db.table that doesn't appear at all in
# the new specification, then revoke all privileges on it.
for db_table , priv in curr_priv . iteritems ( ) :
# If the user has the GRANT OPTION on a db.table, revoke it first.
if " GRANT " in priv :
grant_option = True
if db_table not in new_priv :
if user != " root " and " PROXY " not in priv and not append_privs :
privileges_revoke ( cursor , user , host , db_table , priv , grant_option )
changed = True
# If the user doesn't currently have any privileges on a db.table, then
# we can perform a straight grant operation.
for db_table , priv in new_priv . iteritems ( ) :
if db_table not in curr_priv :
privileges_grant ( cursor , user , host , db_table , priv )
changed = True
# Handle privileges
# Handle privileges
if new_priv is not None :
if new_priv is not None :
curr_priv = privileges_get ( cursor , user , host )
curr_priv = privileges_get ( cursor , user , host )
@ -328,10 +383,27 @@ def user_mod(cursor, user, host, password, encrypted, new_priv, append_privs):
return changed
return changed
def user_delete ( cursor , user , host ) : def user_delete ( cursor , user , host , host_all ) :
if host_all :
hostnames = user_get_hostnames ( cursor , user )
for hostname in hostnames :
cursor . execute ( " DROP USER %s @ %s " , ( user , hostname ) )
else :
cursor . execute ( " DROP USER %s @ %s " , ( user , host ) )
cursor . execute ( " DROP USER %s @ %s " , ( user , host ) )
return True
return True
def user_get_hostnames ( cursor , user ) :
cursor . execute ( " SELECT Host FROM mysql.user WHERE user = %s " , user )
hostnames_raw = cursor . fetchall ( )
hostnames = [ ]
for hostname_raw in hostnames_raw :
hostnames . append ( hostname_raw [ 0 ] )
return hostnames
def privileges_get ( cursor , user , host ) : def privileges_get ( cursor , user , host ) :
""" MySQL doesn ' t have a better method of getting privileges aside from the
""" MySQL doesn ' t have a better method of getting privileges aside from the
SHOW GRANTS query syntax , which requires us to then parse the returned string .
SHOW GRANTS query syntax , which requires us to then parse the returned string .
@ -451,6 +523,7 @@ def main():
password = dict ( default = None , no_log = True ) ,
password = dict ( default = None , no_log = True ) ,
encrypted = dict ( default = False , type = ' bool ' ) ,
encrypted = dict ( default = False , type = ' bool ' ) ,
host = dict ( default = " localhost " ) ,
host = dict ( default = " localhost " ) ,
host_all = dict ( type = " bool " , default = " no " ) ,
state = dict ( default = " present " , choices = [ " absent " , " present " ] ) ,
state = dict ( default = " present " , choices = [ " absent " , " present " ] ) ,
priv = dict ( default = None ) ,
priv = dict ( default = None ) ,
append_privs = dict ( default = False , type = ' bool ' ) ,
append_privs = dict ( default = False , type = ' bool ' ) ,
@ -465,6 +538,7 @@ def main():
password = module . params [ " password " ]
password = module . params [ " password " ]
encrypted = module . boolean ( module . params [ " encrypted " ] )
encrypted = module . boolean ( module . params [ " encrypted " ] )
host = module . params [ " host " ] . lower ( )
host = module . params [ " host " ] . lower ( )
host_all = module . params [ " host_all " ]
state = module . params [ " state " ]
state = module . params [ " state " ]
priv = module . params [ " priv " ]
priv = module . params [ " priv " ]
check_implicit_admin = module . params [ ' check_implicit_admin ' ]
check_implicit_admin = module . params [ ' check_implicit_admin ' ]
@ -496,25 +570,27 @@ def main():
module . fail_json ( msg = " unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s " % e )
module . fail_json ( msg = " unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials. Exception message: %s " % e )
if state == " present " :
if state == " present " :
if user_exists ( cursor , user , host :
if user_exists ( cursor , user , host , host_all ):
try :
try :
if update_password == ' always ' :
if update_password == ' always ' :
changed = user_mod ( cursor , user , host , , encrypted , priv , append_privs )
changed = user_mod ( cursor , user , host , host_all, password, encrypted , priv , append_privs )
else :
else :
changed = user_mod ( cursor , user , host , None , encrypted , priv , append_privs )
changed = user_mod ( cursor , user , host , host_all , None , encrypted , priv , append_privs )
except ( SQLParseError , InvalidPrivsError , MySQLdb . Error ) , e :
except ( SQLParseError , InvalidPrivsError , MySQLdb . Error ) , e :
module . fail_json ( msg = str ( e ) )
module . fail_json ( msg = str ( e ) )
else :
else :
if password is None :
if password is None :
module . fail_json ( msg = " password parameter required when adding a user " )
module . fail_json ( msg = " password parameter required when adding a user " )
if host_all :
module . fail_json ( msg = " host_all parameter cannot be used when adding a user " )
try :
try :
changed = user_add ( cursor , user , host , password , encrypted , priv )
changed = user_add ( cursor , user , host , host_all, password, encrypted , priv )
except ( SQLParseError , InvalidPrivsError , MySQLdb . Error ) , e :
except ( SQLParseError , InvalidPrivsError , MySQLdb . Error ) , e :
module . fail_json ( msg = str ( e ) )
module . fail_json ( msg = str ( e ) )
elif state == " absent " :
elif state == " absent " :
if user_exists ( cursor , user , host :
if user_exists ( cursor , user , host , host_all ):
changed = user_delete ( cursor , user , host
changed = user_delete ( cursor , user , host , host_all )
else :
else :
changed = False
changed = False
module . exit_json ( changed = changed , user = user )
module . exit_json ( changed = changed , user = user )
Toshio Kuratomi
9 years ago