Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mysql_user.present with - password: null Should Clear the Password for the User #5550

Closed
kevinastone opened this issue Jun 14, 2013 · 6 comments · Fixed by #6173
Closed

mysql_user.present with - password: null Should Clear the Password for the User #5550

kevinastone opened this issue Jun 14, 2013 · 6 comments · Fixed by #6173
Assignees
@terminalmage
Labels
Bug broken, incorrect, or confusing behavior
Milestone
0.17.0

Comments

@kevinastone
Copy link
Contributor

Right now, mysql.user_exists accepts password=None which skips checking the password when None, preventing the system from clearing passwords already set on a user.
@basepi
Copy link
Contributor

basepi commented Jun 14, 2013

We'll look into this. Thanks!

@ghost ghost assigned terminalmage Jul 15, 2013
@terminalmage terminalmage mentioned this issue Jul 15, 2013
Merged
@terminalmage
Copy link
Contributor

@kevinastone I've added the ability to clear the password in #6173. The usage for this would be to omit both the password and password_hash options from your mysql_user.present state, and add a new allow_passwordless option, like so:

foo:
  mysql_user.present:
    - allow_passwordless: True

@kevinastone
Copy link
Contributor Author

Thanks. This creates a bit of a special case though that I was trying to avoid since these database parameters are stored in pillars. It would be easier for the password of null to be passed through correctly.

db-user:
    mysql_user.present:
        - name: {{ pillar["db"]["user"] }}
        - password: {{ pillar["db"]["password"] }}
        - host: '%'

Your implementation requires some Jinja trickery:

db-user:
    mysql_user.present:
        - name: {{ pillar["db"]["user"] }}
        {% if not pillar['db']['password'] %}
        - allow_passwordless: true
        {% else %}
        - password: {{ pillar["db"]["password"] }}
        {% endif %}
        - host: '%'

@terminalmage
Copy link
Contributor

Well, for the sake of security, I felt it was important to force a passwordless login to be an intentional action.

@kevinastone
Copy link
Contributor Author

Okay, but let's make allow_passwordless a flag and not an override of password. That way, I can always specify allow_passwordless: true and it will either set an empty password or a real password based on the pillar data.

+    if password:
+        qry += ' AND Password = PASSWORD(\'{0}\')'.format(password)
+    elif salt.utils.is_true(passwordless):
+        qry += ' AND Password = \'\''

@terminalmage
Copy link
Contributor

It's not an override. That bit of code you're referencing is from the mysql.user_exists function. It's not changing anything, it's merely checking to see if there is user for the specified host with an empty password.

If you look at the mysql_user state in my pull request, specifically this chunk, it should be pretty clear that allow_passwordless is a flag. It defaults to False, but it can be set to True and will still let you set a password if neither a password nor a hash has been specified.

terminalmage added a commit to terminalmage/salt that referenced this issue Jul 18, 2013
@terminalmage
Add ability to set passwordless login (mysql_user)
6930776 
This commit adds the ability to set a passwordless login. This
functionality requires a new keyword argument (allow_passwordless) be
True.

Fixes saltstack#5550.
terminalmage added a commit that referenced this issue Jul 18, 2013
@terminalmage @basepi
Add ability to set passwordless login (mysql_user)
5fcf95c 
This commit adds the ability to set a passwordless login. This
functionality requires a new keyword argument (allow_passwordless) be
True.

Fixes #5550.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terminalmage terminalmage

Labels
Bug broken, incorrect, or confusing behavior
Projects
None yet
Milestone
0.17.0
Development

Successfully merging a pull request may close this issue.

Add ability to set passwordless login (mysql_user) terminalmage/salt
3 participants
@terminalmage @basepi @kevinastone