Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only revoke GRANT OPTION when user actually has it #3634

Merged
merged 1 commit into from
Aug 2, 2013
Merged

Only revoke GRANT OPTION when user actually has it #3634

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 10 additions & 11 deletions library/database/mysql_user
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ def user_add(cursor, user, host, password, new_priv):

def user_mod(cursor, user, host, password, new_priv):
changed = False
grant_option = False

# Handle passwords.
if password is not None:
Expand All @@ -162,9 +163,12 @@ def user_mod(cursor, user, host, password, new_priv):
# If the user has privileges on a db.table that doesn't appear at all in
# the new specification, then revoke all privileges on it.
for db_table, priv in curr_priv.iteritems():
# If the user has the GRANT OPTION on a db.table, revoke it first.
if "GRANT" in priv:
grant_option = True
if db_table not in new_priv:
if user != "root" and "PROXY" not in priv:
privileges_revoke(cursor, user,host,db_table)
privileges_revoke(cursor, user,host,db_table,grant_option)
changed = True

# If the user doesn't currently have any privileges on a db.table, then
Expand All @@ -180,7 +184,7 @@ def user_mod(cursor, user, host, password, new_priv):
for db_table in db_table_intersect:
priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table])
if (len(priv_diff) > 0):
privileges_revoke(cursor, user,host,db_table)
privileges_revoke(cursor, user,host,db_table,grant_option)
privileges_grant(cursor, user,host,db_table,new_priv[db_table])
changed = True

Expand Down Expand Up @@ -243,17 +247,12 @@ def privileges_unpack(priv):

return output

def privileges_revoke(cursor, user,host,db_table):
def privileges_revoke(cursor, user,host,db_table,grant_option):
if grant_option:
query = "REVOKE GRANT OPTION ON %s FROM '%s'@'%s'" % (db_table,user,host)
cursor.execute(query)
query = "REVOKE ALL PRIVILEGES ON %s FROM '%s'@'%s'" % (db_table,user,host)
cursor.execute(query)
query = "REVOKE GRANT OPTION ON %s FROM '%s'@'%s'" % (db_table,user,host)
try:
cursor.execute(query)
except MySQLdb.OperationalError, e:
# 1141 -> There is no such grant defined for user ... on host ...
# If this exception is raised, there is no need to revoke the GRANT privilege
if e.args[0] != 1141 or not e.args[1].startswith("There is no such grant defined for user"):
raise e

def privileges_grant(cursor, user,host,db_table,priv):

Expand Down