Added support for 'REQUIRE SSL' grant option

pull/18777/head
Bruce Pennypacker 10 years ago committed by Matt Clay
parent a3de4db57d
commit 9cbe3eb8ae

@ -117,6 +117,9 @@ EXAMPLES = """
# Creates database user 'bob' and password '12345' with all database privileges and 'WITH GRANT OPTION' # Creates database user 'bob' and password '12345' with all database privileges and 'WITH GRANT OPTION'
- mysql_user: name=bob password=12345 priv=*.*:ALL,GRANT state=present - mysql_user: name=bob password=12345 priv=*.*:ALL,GRANT state=present
# Modifiy user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
- mysql_user: name=bob append=true priv=*.*:REQUIRESSL state=present
# Ensure no user named 'sally' exists, also passing in the auth credentials. # Ensure no user named 'sally' exists, also passing in the auth credentials.
- mysql_user: login_user=root login_password=123456 name=sally state=absent - mysql_user: login_user=root login_password=123456 name=sally state=absent
@ -159,7 +162,7 @@ VALID_PRIVS = frozenset(('CREATE', 'DROP', 'GRANT', 'GRANT OPTION',
'EXECUTE', 'FILE', 'CREATE TABLESPACE', 'CREATE USER', 'EXECUTE', 'FILE', 'CREATE TABLESPACE', 'CREATE USER',
'PROCESS', 'PROXY', 'RELOAD', 'REPLICATION CLIENT', 'PROCESS', 'PROXY', 'RELOAD', 'REPLICATION CLIENT',
'REPLICATION SLAVE', 'SHOW DATABASES', 'SHUTDOWN', 'REPLICATION SLAVE', 'SHOW DATABASES', 'SHUTDOWN',
'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE',)) 'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE', 'REQUIRESSL'))
class InvalidPrivsError(Exception): class InvalidPrivsError(Exception):
pass pass
@ -261,6 +264,8 @@ def privileges_get(cursor, user,host):
privileges = [ pick(x) for x in privileges] privileges = [ pick(x) for x in privileges]
if "WITH GRANT OPTION" in res.group(4): if "WITH GRANT OPTION" in res.group(4):
privileges.append('GRANT') privileges.append('GRANT')
if "REQUIRE SSL" in res.group(4):
privileges.append('REQUIRESSL')
db = res.group(2) db = res.group(2)
output[db] = privileges output[db] = privileges
return output return output
@ -294,6 +299,11 @@ def privileges_unpack(priv):
if '*.*' not in output: if '*.*' not in output:
output['*.*'] = ['USAGE'] output['*.*'] = ['USAGE']
# if we are only specifying something like REQUIRESSL in *.* we still need
# to add USAGE as a privilege to avoid syntax errors
if priv.find('REQUIRESSL') != -1 and 'USAGE' not in output['*.*']:
output['*.*'].append('USAGE')
return output return output
def privileges_revoke(cursor, user,host,db_table,grant_option): def privileges_revoke(cursor, user,host,db_table,grant_option):
@ -307,19 +317,28 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')] query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')]
query.append("FROM %s@%s") query.append("FROM %s@%s")
query = ' '.join(query) query = ' '.join(query)
cursor.execute(query, (user, host)) try:
cursor.execute(query, (user, host))
except Exception, e:
raise Exception("%s. Query=\"%s\"" % (str(e), query % (user, host)))
def privileges_grant(cursor, user,host,db_table,priv): def privileges_grant(cursor, user,host,db_table,priv):
# Escape '%' since mysql db.execute uses a format string and the # Escape '%' since mysql db.execute uses a format string and the
# specification of db and table often use a % (SQL wildcard) # specification of db and table often use a % (SQL wildcard)
db_table = db_table.replace('%', '%%') db_table = db_table.replace('%', '%%')
priv_string = ",".join(filter(lambda x: x != 'GRANT', priv)) priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv))
query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
query.append("TO %s@%s") query.append("TO %s@%s")
if 'GRANT' in priv: if 'GRANT' in priv:
query.append("WITH GRANT OPTION") query.append(" WITH GRANT OPTION")
if 'REQUIRESSL' in priv:
query.append(" REQUIRE SSL")
query = ' '.join(query) query = ' '.join(query)
cursor.execute(query, (user, host)) try:
cursor.execute(query, (user, host))
except Exception, e:
raise Exception("%s. Query=\"%s\"" % (str(e), query % (user, host)))
def strip_quotes(s): def strip_quotes(s):

Loading…
Cancel
Save