Add priv validation to database_grant provider #91
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The mysql database_grant provider currently has what is arguably a heinous
design flaw. At present:
1. The 'privileges' parameter for the database_grant type, mysql provider,
does not expect the same syntax as the mysql Grant command ('SELECT',
'UPDATE', 'DELETE', etc). Rather, it expects the user to supply column
names used to store raw grants in the mysql.db or mysql.user tables
internally ('Select_priv', 'Update_priv', 'Delete_priv', etc).
2. If a user supplies `privileges => [ 'SELECT', 'INSERT' ]` instead of
`privileges => [ 'Select_priv', 'Insert_priv' ]`, the provider fails
silently and will continuously attempt to update the privileges with
each successive puppet run. In the specific example provided, all privs
for the user/db will be set to false since e.g. 'INSERT' does not match
any valid privilege.
Unfortunately it doesn't look simple to modify the provider such that the
intuitive SELECT, DELETE, etc. keywords can be used without changing
existing behavior. Leaving that alone for now, it *is* pretty simple to add
a validation function that will at least fail cleanly if non-functional
privilege values are supplied that don't mean anything to the provider. If
the user is trying to use valid MySQL Grant syntax, the new validation
procedure will recognize this and suggest a correction. Hopefully giving
users this kind of warning will clue them in to what kind of input the
provider expects.
|
+1. Appears to add helpful error checking. It doesn't look like this could be done in the |
branan
pushed a commit
that referenced
this pull request
Aug 24, 2012
Add priv validation to database_grant provider
pmcmaw
pushed a commit
to pmcmaw/puppetlabs-mysql
that referenced
this pull request
Mar 3, 2021
pdksync - (MODULES-8444) - Raise lower Puppet bound
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The mysql database_grant provider currently has what is arguably a heinous design flaw. At present:
privileges => [ 'SELECT', 'INSERT' ]instead ofprivileges => [ 'Select_priv', 'Insert_priv' ], the provider fails silently and will continuously attempt to update the privileges with each successive puppet run. In the specific example provided, all privs for the user/db will be set to false since e.g. 'INSERT' does not match any valid privilege.Unfortunately it doesn't look simple to modify the provider such that the intuitive SELECT, DELETE, etc. keywords can be used without changing existing behavior. Leaving that alone for now, it is pretty simple to add a validation function that will at least fail cleanly if non-functional privilege values are supplied that don't mean anything to the provider. If the user is trying to use valid MySQL Grant syntax, the new validation procedure will recognize this and suggest a correction. Hopefully giving users this kind of warning will clue them in to what kind of input the provider expects.