mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2024-09-14 20:13:21 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			298 lines
		
	
	
	
		
			11 KiB
		
	
	
	
		
			Python
		
	
	
		
			Executable file
		
	
	
	
	
			
		
		
	
	
			298 lines
		
	
	
	
		
			11 KiB
		
	
	
	
		
			Python
		
	
	
		
			Executable file
		
	
	
	
	
| #!/usr/bin/python
 | |
| 
 | |
| # (c) 2012, Mark Theunissen <mark.theunissen@gmail.com>
 | |
| # Sponsored by Four Kitchens http://fourkitchens.com.
 | |
| #
 | |
| # This file is part of Ansible
 | |
| #
 | |
| # Ansible is free software: you can redistribute it and/or modify
 | |
| # it under the terms of the GNU General Public License as published by
 | |
| # the Free Software Foundation, either version 3 of the License, or
 | |
| # (at your option) any later version.
 | |
| #
 | |
| # Ansible is distributed in the hope that it will be useful,
 | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| # GNU General Public License for more details.
 | |
| #
 | |
| # You should have received a copy of the GNU General Public License
 | |
| # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
| ---
 | |
| module: mysql_user
 | |
| short_description: Adds or removes a user from a MySQL database.
 | |
| description:
 | |
|    - Adds or removes a user from a MySQL database.
 | |
| version_added: "0.6"
 | |
| options:
 | |
|   name:
 | |
|     description:
 | |
|       - name of the user (role) to add or remove
 | |
|     required: true
 | |
|     default: null
 | |
|   password:
 | |
|     description:
 | |
|       - set the user's password
 | |
|     required: false
 | |
|     default: null
 | |
|   host:
 | |
|     description:
 | |
|       - the 'host' part of the MySQL username
 | |
|     required: false
 | |
|     default: localhost
 | |
|   login_user:
 | |
|     description:
 | |
|       - The username used to authenticate with
 | |
|     required: false
 | |
|     default: null
 | |
|   login_password:
 | |
|     description:
 | |
|       - The password used to authenticate with
 | |
|     required: false
 | |
|     default: null
 | |
|   login_host:
 | |
|     description:
 | |
|       - Host running the database
 | |
|     required: false
 | |
|     default: localhost
 | |
|   priv:
 | |
|     description:
 | |
|       - "MySQL privileges string in the format: C(db.table:priv1,priv2)"
 | |
|     required: false
 | |
|     default: null
 | |
|   state:
 | |
|     description:
 | |
|       - The database state
 | |
|     required: false
 | |
|     default: present
 | |
|     choices: [ "present", "absent" ]
 | |
| examples:
 | |
|    - code: mysql_user name=bob password=12345 priv=*.*:ALL state=present
 | |
|      description: Create database user with name 'bob' and password '12345' with all database privileges
 | |
|    - code: mysql_user login_user=root login_password=123456 name=sally state=absent
 | |
|      description: Ensure no user named 'sally' exists, also passing in the auth credentials.
 | |
|    - code: mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL
 | |
|      description: Example privileges string format
 | |
| notes:
 | |
|    - Requires the MySQLdb Python package on the remote host. For Ubuntu, this
 | |
|      is as easy as apt-get install python-mysqldb.
 | |
|    - Both C(login_password) and C(login_username) are required when you are
 | |
|      passing credentials. If none are present, the module will attempt to read
 | |
|      the credentials from C(~/.my.cnf), and finally fall back to using the MySQL
 | |
|      default login of 'root' with no password.
 | |
| requirements: [ "ConfigParser", "MySQLdb" ]
 | |
| author: Mark Theunissen
 | |
| '''
 | |
| 
 | |
| import ConfigParser
 | |
| try:
 | |
|     import MySQLdb
 | |
| except ImportError:
 | |
|     mysqldb_found = False
 | |
| else:
 | |
|     mysqldb_found = True
 | |
| 
 | |
| # ===========================================
 | |
| # MySQL module specific support methods.
 | |
| #
 | |
| 
 | |
| def user_exists(cursor, user, host):
 | |
|     cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host))
 | |
|     count = cursor.fetchone()
 | |
|     return count[0] > 0
 | |
| 
 | |
| def user_add(cursor, user, host, password, new_priv):
 | |
|     cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password))
 | |
|     if new_priv is not None:
 | |
|         for db_table, priv in new_priv.iteritems():
 | |
|             privileges_grant(cursor, user,host,db_table,priv)
 | |
|     return True
 | |
| 
 | |
| def user_mod(cursor, user, host, password, new_priv):
 | |
|     changed = False
 | |
| 
 | |
|     # Handle passwords.
 | |
|     if password is not None:
 | |
|         cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
 | |
|         current_pass_hash = cursor.fetchone()
 | |
|         cursor.execute("SELECT PASSWORD(%s)", (password,))
 | |
|         new_pass_hash = cursor.fetchone()
 | |
|         if current_pass_hash[0] != new_pass_hash[0]:
 | |
|             cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password))
 | |
|             changed = True
 | |
| 
 | |
|     # Handle privileges.
 | |
|     if new_priv is not None:
 | |
|         curr_priv = privileges_get(cursor, user,host)
 | |
| 
 | |
|         # If the user has privileges on a db.table that doesn't appear at all in
 | |
|         # the new specification, then revoke all privileges on it.
 | |
|         for db_table, priv in curr_priv.iteritems():
 | |
|             if db_table not in new_priv:
 | |
|                 privileges_revoke(cursor, user,host,db_table)
 | |
|                 changed = True
 | |
| 
 | |
|         # If the user doesn't currently have any privileges on a db.table, then
 | |
|         # we can perform a straight grant operation.
 | |
|         for db_table, priv in new_priv.iteritems():
 | |
|             if db_table not in curr_priv:
 | |
|                 privileges_grant(cursor, user,host,db_table,priv)
 | |
|                 changed = True
 | |
| 
 | |
|         # If the db.table specification exists in both the user's current privileges
 | |
|         # and in the new privileges, then we need to see if there's a difference.
 | |
|         db_table_intersect = set(new_priv.keys()) & set(curr_priv.keys())
 | |
|         for db_table in db_table_intersect:
 | |
|             priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
 | |
|             if (len(priv_diff) > 0):
 | |
|                 privileges_revoke(cursor, user,host,db_table)
 | |
|                 privileges_grant(cursor, user,host,db_table,new_priv[db_table])
 | |
|                 changed = True
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def user_delete(cursor, user, host):
 | |
|     cursor.execute("DROP USER %s@%s", (user,host))
 | |
|     return True
 | |
| 
 | |
| def privileges_get(cursor, user,host):
 | |
|     """ MySQL doesn't have a better method of getting privileges aside from the
 | |
|     SHOW GRANTS query syntax, which requires us to then parse the returned string.
 | |
|     Here's an example of the string that is returned from MySQL:
 | |
| 
 | |
|      GRANT USAGE ON *.* TO 'user'@'localhost' IDENTIFIED BY 'pass';
 | |
| 
 | |
|     This function makes the query and returns a dictionary containing the results.
 | |
|     The dictionary format is the same as that returned by privileges_unpack() below.
 | |
|     """
 | |
|     output = {}
 | |
|     cursor.execute("SHOW GRANTS FOR %s@%s", (user,host))
 | |
|     grants = cursor.fetchall()
 | |
|     for grant in grants:
 | |
|         res = re.match("GRANT\ (.+)\ ON\ (.+)\ TO", grant[0])
 | |
|         if res is None:
 | |
|             module.fail_json(msg="unable to parse the MySQL grant string")
 | |
|         privileges = res.group(1).split(", ")
 | |
|         privileges = ['ALL' if x=='ALL PRIVILEGES' else x for x in privileges]
 | |
|         db = res.group(2).replace('`', '')
 | |
|         output[db] = privileges
 | |
|     return output
 | |
| 
 | |
| def privileges_unpack(priv):
 | |
|     """ Take a privileges string, typically passed as a parameter, and unserialize
 | |
|     it into a dictionary, the same format as privileges_get() above. We have this
 | |
|     custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
 | |
|     of a privileges string:
 | |
| 
 | |
|      mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanother.*:ALL
 | |
| 
 | |
|     The privilege USAGE stands for no privileges, so we add that in on *.* if it's
 | |
|     not specified in the string, as MySQL will always provide this by default.
 | |
|     """
 | |
|     output = {}
 | |
|     for item in priv.split('/'):
 | |
|         pieces = item.split(':')
 | |
|         output[pieces[0]] = pieces[1].upper().split(',')
 | |
| 
 | |
|     if '*.*' not in output:
 | |
|         output['*.*'] = ['USAGE']
 | |
| 
 | |
|     return output
 | |
| 
 | |
| def privileges_revoke(cursor, user,host,db_table):
 | |
|     query = "REVOKE ALL PRIVILEGES ON %s FROM '%s'@'%s'" % (db_table,user,host)
 | |
|     cursor.execute(query)
 | |
| 
 | |
| def privileges_grant(cursor, user,host,db_table,priv):
 | |
|     priv_string = ",".join(priv)
 | |
|     query = "GRANT %s ON %s TO '%s'@'%s'" % (priv_string,db_table,user,host)
 | |
|     cursor.execute(query)
 | |
| 
 | |
| def load_mycnf():
 | |
|     config = ConfigParser.RawConfigParser()
 | |
|     mycnf = os.path.expanduser('~/.my.cnf')
 | |
|     if not os.path.exists(mycnf):
 | |
|         return False
 | |
|     try:
 | |
|         config.readfp(open(mycnf))
 | |
|         creds = dict(user=config.get('client', 'user'),password=config.get('client', 'pass'))
 | |
|     except (ConfigParser.NoOptionError, IOError):
 | |
|         return False
 | |
|     return creds
 | |
| 
 | |
| # ===========================================
 | |
| # Module execution.
 | |
| #
 | |
| 
 | |
| def main():
 | |
|     module = AnsibleModule(
 | |
|         argument_spec = dict(
 | |
|             login_user=dict(default=None),
 | |
|             login_password=dict(default=None),
 | |
|             login_host=dict(default="localhost"),
 | |
|             login_unix_socket=dict(default=None),
 | |
|             user=dict(required=True, aliases=['name']),
 | |
|             password=dict(default=None),
 | |
|             host=dict(default="localhost"),
 | |
|             state=dict(default="present", choices=["absent", "present"]),
 | |
|             priv=dict(default=None),
 | |
|         )
 | |
|     )
 | |
|     user = module.params["user"]
 | |
|     password = module.params["password"]
 | |
|     host = module.params["host"]
 | |
|     state = module.params["state"]
 | |
|     priv = module.params["priv"]
 | |
| 
 | |
|     if not mysqldb_found:
 | |
|         module.fail_json(msg="the python mysqldb module is required")
 | |
| 
 | |
|     if priv is not None:
 | |
|         try:
 | |
|             priv = privileges_unpack(priv)
 | |
|         except:
 | |
|             module.fail_json(msg="invalid privileges string")
 | |
| 
 | |
|     # Either the caller passes both a username and password with which to connect to
 | |
|     # mysql, or they pass neither and allow this module to read the credentials from
 | |
|     # ~/.my.cnf.
 | |
|     login_password = module.params["login_password"]
 | |
|     login_user = module.params["login_user"]
 | |
|     if login_user is None and login_password is None:
 | |
|         mycnf_creds = load_mycnf()
 | |
|         if mycnf_creds is False:
 | |
|             login_user = "root"
 | |
|             login_password = ""
 | |
|         else:
 | |
|             login_user = mycnf_creds["user"]
 | |
|             login_password = mycnf_creds["password"]
 | |
|     elif login_password is None or login_user is None:
 | |
|         module.fail_json(msg="when supplying login arguments, both login_user and login_password must be provided")
 | |
| 
 | |
|     try:
 | |
|         if module.params["login_unix_socket"] != None:
 | |
|             db_connection = MySQLdb.connect(host=module.params["login_host"], unix_socket=module.params["login_unix_socket"], user=login_user, passwd=login_password, db="mysql")
 | |
|         else:
 | |
|             db_connection = MySQLdb.connect(host=module.params["login_host"], user=login_user, passwd=login_password, db="mysql")
 | |
|         cursor = db_connection.cursor()
 | |
|     except Exception as e:
 | |
|         module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials")
 | |
| 
 | |
|     if state == "present":
 | |
|         if user_exists(cursor, user, host):
 | |
|             changed = user_mod(cursor, user, host, password, priv)
 | |
|         else:
 | |
|             if password is None:
 | |
|                 module.fail_json(msg="password parameter required when adding a user")
 | |
|             changed = user_add(cursor, user, host, password, priv)
 | |
|     elif state == "absent":
 | |
|         if user_exists(cursor, user, host):
 | |
|             changed = user_delete(cursor, user, host)
 | |
|         else:
 | |
|             changed = False
 | |
|     module.exit_json(changed=changed, user=user)
 | |
| 
 | |
| # this is magic, see lib/ansible/module_common.py
 | |
| #<<INCLUDE_ANSIBLE_MODULE_COMMON>>
 | |
| main()
 |