New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New module to manage mongodb roles/privileges #19686

Open
wants to merge 1 commit into
base: devel
from

Conversation

Projects
None yet
5 participants
@Lujeni
Contributor

Lujeni commented Dec 26, 2016

Context

User administrators can create custom roles to ensure collection-level and command-level granularity and to adhere to the policy of least privilege. Administrators create and edit roles using this module.

Tests

Env

python: 2.7.9
pymongo: 2.8 & 3.0.3
mongodb: 3.x

Ansible

# create the role + 1 privilege (insert+find)
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foobar privilege_actions='find,insert' state='present'"

# update the privilege to support only find
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foobar privilege_actions='find' state='present'"

# create a new privilege (foo) on the same role
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foo privilege_actions='find,insert' state='present'"

# drop the first privilege (foobar)
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foobar privilege_actions='find,insert' state='present' privilege_state='absent'"

# drop the second privilege (foo).
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foo privilege_actions='find,insert' state='present' privilege_state='absent'"

# add a new privilege when the role is empty.
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foobar privilege_actions='find,insert' state='present'"

# drop the role.
python ansible/hacking/test-module -m ./ansible-modules-extras/database/misc/mongodb_role.py -a "name=foo_find db=foo privilege_db=foo privilege_collection=foobar privilege_actions='find,insert' state='absent'"

Mongodb

> db.createUser({name: 'ansible', pwd: 'ansible', roles: ['foo_find']}
> use foo
> db.auth('ansible', 'ansible')
> db.foobar.insert({})
WriteResult({
    "writeError" : {
        "code" : 13,
        "errmsg" : "not authorized on foo to execute command { insert: \"foobar\", documents: ...."
    }
})

Thanks

@Lujeni

This comment has been minimized.

Show comment
Hide comment
@Lujeni
Contributor

Lujeni commented Dec 26, 2016

@jimi-c jimi-c removed the plugin label Jan 4, 2017

@abadger abadger changed the title from New role to manage mongodb roles/privileges to New module to manage mongodb roles/privileges Jan 5, 2017

@abadger

This comment has been minimized.

Show comment
Hide comment
@abadger

abadger Jan 5, 2017

Member

Note, ansibot has marked this as needs_revision because it's failing tests. The shippable run shows:

2016-12-26 17:47:26 Compile with Python 3.5
2016-12-26 17:47:26 Run command: python3.5 -m compileall -fq -x /.tox/ ./lib/ansible/modules/database/misc/mongodb_role.py
2016-12-26 17:47:32 *** Error compiling './lib/ansible/modules/database/misc/mongodb_role.py'...
2016-12-26 17:47:32   File "./lib/ansible/modules/database/misc/mongodb_role.py", line 239
2016-12-26 17:47:32     except OperationFailure, e:
2016-12-26 17:47:32                            ^
2016-12-26 17:47:32 SyntaxError: invalid syntax
2016-12-26 17:47:32 
2016-12-26 17:47:32 ERROR: Command "python3.5 -m compileall -fq -x /.tox/ ./lib/ansible/modules/database/misc/mongodb_role.py" returned exit status 1.
Member

abadger commented Jan 5, 2017

Note, ansibot has marked this as needs_revision because it's failing tests. The shippable run shows:

2016-12-26 17:47:26 Compile with Python 3.5
2016-12-26 17:47:26 Run command: python3.5 -m compileall -fq -x /.tox/ ./lib/ansible/modules/database/misc/mongodb_role.py
2016-12-26 17:47:32 *** Error compiling './lib/ansible/modules/database/misc/mongodb_role.py'...
2016-12-26 17:47:32   File "./lib/ansible/modules/database/misc/mongodb_role.py", line 239
2016-12-26 17:47:32     except OperationFailure, e:
2016-12-26 17:47:32                            ^
2016-12-26 17:47:32 SyntaxError: invalid syntax
2016-12-26 17:47:32 
2016-12-26 17:47:32 ERROR: Command "python3.5 -m compileall -fq -x /.tox/ ./lib/ansible/modules/database/misc/mongodb_role.py" returned exit status 1.
@Lujeni

This comment has been minimized.

Show comment
Hide comment
@Lujeni

Lujeni Feb 10, 2017

Contributor

Hello @abadger,

How i can managed the python3.5 and the compat with old versions ?
Python 2.4 or 2.6 doesn't support the syntax with the as keyword i guess.

Contributor

Lujeni commented Feb 10, 2017

Hello @abadger,

How i can managed the python3.5 and the compat with old versions ?
Python 2.4 or 2.6 doesn't support the syntax with the as keyword i guess.

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Apr 11, 2017

Contributor

@Lujeni Greetings! Thanks for taking the time to open this pullrequest. In order for the community to handle your pullrequest effectively, we need a bit more information.

Here are the items we could not find in your description:

  • issue type

Please set the description of this pullrequest with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/PULL_REQUEST_TEMPLATE.md

click here for bot help

Contributor

ansibot commented Apr 11, 2017

@Lujeni Greetings! Thanks for taking the time to open this pullrequest. In order for the community to handle your pullrequest effectively, we need a bit more information.

Here are the items we could not find in your description:

  • issue type

Please set the description of this pullrequest with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/PULL_REQUEST_TEMPLATE.md

click here for bot help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment